Phish campaign uses the Queen’s death to gather MS account, multi-factor authentication details

September 15, 2022

If you are one of those mourning the passing of Queen Elizabeth II, you might want to be a little careful in participating in different invitations related to it online, as different bad actors now see it as a chance to fool new victims. In a series of tweets posted by Proofpoint on its Threat Insight Twitter page, the company revealed that there is a credential phish campaign with actors disguising themselves as Microsoft.

“Proofpoint identified a credential phish campaign using lures related to Her Majesty Queen Elizabeth II,” the tweet reads. “Messages purported to be from Microsoft and invited recipients to an ‘artificial technology hub’ in her honor.”

The actors are sending targets phishing emails asking users to contribute to the “interactive AI memory board” they claim to be dedicated to the Queen. However, instead of collecting letters and photos from people, the true aim of the attackers is to gather Microsoft account credentials from their targets.

The emails include a link to malicious sites that, instead of allowing submission of “memorable words,” will ask for their Microsoft credentials. “Messages contained links to a URL redirecting credential harvesting page targeting Microsoft email credentials including MFA collection,” detailed Proofpoint.

According to Proofpoint, they discovered that the actors utilized the EvilProxy phish kit in performing the crime. “EvilProxy is a MITM phishing framework that uses a reverse proxy to customize landing pages for each recipient and collect credentials and bypass MFA protection,” Proofpoint explained. “The kit is relatively new and is available for sale on exploit forums.”

The National Cyber Security Centre of the United Kingdom Government is not surprised about the Queen’s death being used by the cybercriminals in their new schemes. Nonetheless, the organization warned everyone about it and said an investigation was already rolling.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}