This week, we uncovered an attack that utilizes a link for documents. We saw this across multiple organizations.
It works like this:
The subject of the email reads: ETTelecom sent you a document to review and sign
The body links to a document for review and signature. When you click on "Review Documents" it takes you to a login page that's actually stealing your credentials.
Here's what it looks like:
You'll then be directed to this spoofed login page:
Interestingly, though, when you change the domain, it pulls a bit-for-bit mirror of an organization's login page. As long as the organization uses Microsoft 365, it works. See below:
This attack has all the hallmarks being done by SPAM-EGY, an advanced persistent threat group we've covered in detail before.