Whenever there is a major news story that is attracting considerable public interest, phishers are quick to respond, so it is no surprise that they have responded to the death of Queen Elizabeth II. A campaign has recently been identified that masquerades as a notification from Microsoft about an initiative to commemorate her reign.
If you live in the United Kingdom, you will almost certainly have received notifications in your inbox from various companies, organizations, and charities related to the passing of the Queen, so a notification from Microsoft does not appear out of the ordinary. According to researchers at Proofpoint, a phishing campaign is being conducted that has the subject line, “In Memory of Her Majesty Queen Elizabeth II”, with the email claiming Microsoft is creating “an interactive AI memory board” to celebrate the life of the UK’s longest reigning monarch. As with all phishing campaigns, there is a request for the recipient to take an action. The email claims that in order for the interactive AI memory board to work, Microsoft needs the assistance of its customers.
The email claims that within the board, a neural network will accumulate, analyze, and organize millions of memorable words and thousands of letters and photos that have been collected from all over the globe. “It gets memos from famous people, people close to the Queen, and people who just want to say some words of sorrow”.
The email includes a button with the text, “Her Majesty’s memory” that users are requested to click, and there is also a link “to opt out or update where you get Security announcements.” If the links are clicked, the user is directed to a web page that spoofs Microsoft and asks the user to log in to their Microsoft account. While this is par for the course for phishing campaigns, this campaign has a twist that allows the threat actors to also bypass Microsoft’s two-factor authentication, if it has been enabled. The phishing page uses the EvilProxy phishing kit for a man-in-the-middle attack.
The EvilProxy phishing kit uses a reverse proxy to customize landing pages for each recipient and when credentials are entered into the site they are relayed in real-time to the legitimate login for Microsoft. When Microsoft requests the MFA code, the phishing kit proxies the MFA screen to the user. When the additional authentication is entered by the user, it is relayed to the genuine website and the session cookie that is returned is used by the attacker to access the user’s account. The user is then directed to another page and will be unaware that their account has been compromised. The attacker can then change the credentials for the account to lock the user out, or set up a new authentication method for persistent access when the session cookie expires or is revoked.
This campaign will be one of many that use the death of the Queen as a lure to trick people into disclosing their credentials or installing malware. Users should be particularly attentive to emails and other communications related to Queen Elizabeth II or King Charles III.