This week, we uncovered an attack that utilizes a link for documents. We saw this across multiple organizations.

It works like this:

The subject of the email reads: ETTelecom sent you a document to review and sign

The body links to a document for review and signature. When you click on "Review Documents" it takes you to a login page that's actually stealing your credentials.

Here's what it looks like:


You'll then be directed to this spoofed login page:


Interestingly, though, when you change the domain, it pulls a bit-for-bit mirror of an organization's login page. As long as the organization uses Microsoft 365, it works. See below:


This attack has all the hallmarks being done by SPAM-EGY, an advanced persistent threat group we've covered in detail before. 

Sign Up For Attack Alerts