Today’s ATP Miss of the Week is yet another credential harvesting attack that flew by Microsoft’s security. We have seen this exact attack over 900 times in 20 different clients who are all using ATP.
It works like this:
The subject line reads: HP Scanned 'RNP1C184F107W63'
The attack obfuscates its “From” address by posing as a standard fax machine, but the email is actually coming from a domain registered in Latvia.
The “Read Fax” button is a link that directs the victim to a domain registered in China. That link eventually redirects the victim to a malicious website that resembles a Microsoft login portal.