Researchers last week spotted a phishing campaign that they say was designed to exploit users’ trust in Zix’s online email authentication solution, in hopes that potential victims would be lulled into a false sense of security.

The attack reached 5,000 to 10,000 mailboxes, targeting Office365 users with the goal of stealing their credentials, according to a new blog post today from Abnormal Security. However, Zix Corp contends that only a subset of these emails reached Zix customers. Abnormal Security became aware of the scam when one of its own customers received a scam email appeared to come from one of its vendors, the real estate services provider Authentic Title, LLC.

As it so happened, the perpetrators had compromised an Authentic Title employee’s legitimate email account, and used it to send lures designed to make users falsely believe they received a closing settlement counteroffer.

“The targeted company works with thousands of third-party vendors and supplychain partners. And these vendors and partners often cannot tell when their own employees are compromised and used to send phishing or invoice fraud attacks,” said Roman Tobe, cybersecurity strategist at Abnormal Security, in an interview with SC Media.

But what made this particular phishing campaign particularly stand out was the abuse of a Zix email authentication link to lend an air of credibility to the email.

“As promised by the header and footer of the message, this link does take the message recipient to an official Zix authentication site (zixcentral.com) that checks the link for safety.” However, the attackers were clever to make sure that the email recipients who clicked the link would land on a benign Microsoft OneNote page with no malicious code on it.

However this OneNote page contained yet another link, and that one did, in fact, lead to a phishing page where users would be prompted to enter in their login credentials. This methodology is designed to trick both Zix and traditional security email gateway (SEG) defenses, which “look for known bad or indicators of compromise, like bad reputation, suspicious links or malicious attachments. But since these types of socially engineered attacks do not make use of these tactics, it evades traditional defenses,” Tobe explained.

“Many attacks use a similar strategy as this attack and hide behind multiple layers of redirect links in order to confuse security systems,” the blog post states. Indeed, SC Media recently reported that attackers behind a BazarBackdoor phishing campaign used similar roundabout ways of getting people to infect themselves, without including links or malicious attachments directly within the main emails themselves. 

But “this attack took that strategy one step further by using a Zix link in order to take advantage of the trust placed in Zix and other secure messaging systems,” the report continues.

In response to the report, Zix issued a statement: “This phishing campaign did not originate from Zix or its link protection service. Our security team immediately began an investigation based upon the information presented.  Based upon our analysis, the phishing campaign originated from a compromised Microsoft 365 account belonging to Authentic Title, LLC, who is not a Zix customer. This means the compromised account was manipulated to send several thousand emails targeting various domains. Only a small subset of the phishing messages were sent to Zix customers from the compromised account.”   

Fortunately, companies that use more advanced email security defenses on top of their SEGs can improve their odds of spotting these con games by analyzing and detecting anomalous or suspicious nuances within the emails. For instance, Abnormal Security noted how its technology “detected suspicious behavior in the way the recipient was included with a BCC and in the way the language in the message of the body was reminiscent of other credential phishing attacks.”

The post Zix tricks: Phishing campaign creates false illusion that emails are safe appeared first on SC Media.