Document Delivery Lure Used in Large Scale Spear Phishing Campaign Targeting Enterprise Employees

Last week, researchers at Abnormal Security identified a coordinated phishing attack targeting enterprise employees that attempts to steal their Microsoft Office 365 credentials. The emails are being sent from legitimate, but compromised Office 365 accounts using document delivery notifications as the lure to get users to disclose their credentials.

Several enterprise organizations were targeted in the attack using hundreds of compromised email accounts. The emails include phishing URLs that had never been seen before, which helps to ensure they are not detected as malicious by secure email gateways.

The emails claim the recipient has received a document and impersonates the internet fax service eFax, informing the recipient they have a new faxed document. A sample image of the document is included in the email and the recipient is instructed to click a button in the email with the text “View Documents.”

The email includes the eFax logo, the format of the email matches the genuine communications from the company, and the email includes a phone number and eFax email address and recommends the recipient should switch to an annual eFax plan to save money. Clicking the link will direct the user to a phishing URL where they are required to enter their login credentials to view the document. The phishing pages are hosted on a range of different publishing sites, with Joom, Quip, and Weebly all commonly used.

Many secure email gateways will deliver the messages to inboxes because genuine email accounts are used that have previously sent legitimate emails to company employees. The researchers note that the attackers appear to be running a script that changes the attack when a phishing email is detected and blocked. The sender is changed, and a new phishing link is used when one of the phishing emails is correctly identified as malicious.

The familiar looking template used in the emails may be sufficient to fool many employees. The tell-tale sign that the emails are not genuine is the email addresses used to send the emails, which are not accounts on eFax-owned domains.

To block these phishing attacks, an email security solution is required that is not reliant on blocklists of known spammers and phishing URLs. Email security solutions need to analyze the message content for suspicious behavior and links and language commonly associated with phishing attempts.

The emails are being detected as malicious by Abnormal Security’s system. While this prevents users from falling for the scam, several recipients have forwarded the emails to their personal email accounts to allow them to open the messages.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of