Perception Point has once again discovered a new phishing trend. Perception Point intercepted this new Slack attack campaign through our Phishing detection mechanism accompanied by advanced email traffic analysis.
In this update, we will show how attackers are leveraging Slack’s referral URL in order to lead victims to phishing pages, thus evading legacy solutions.
We will keep sharing information on new trends for you to be better prepared for the next attacks. In case youโve already been the victim of such attack or want to make sure it wonโt happen to you, we encourage you to reach out to see how we can help.
IOCS.
- Subject: Incoming Email Prevented
- Sender: โMessages Centerโ [email protected]
- Source IP: 202.191.119.79
- Phishing URL:
โข https[:]//slack-redir[.]net/link?url=https%3A%2F%2Fstoragemanage.blob.core.windows[.]net%2Fstoragemanage%2FAp3dX.html%23
โข https[:]//securityjobs[.]today/wp-content/hjhdf/indexa.php?P=_93894574342hdfjsixaoweue5_j1489738549283781331983743fncn_Product-UserID&u_1
Explanation.
In this attempt, one can see that the attacker has masked himself to look like โOffice 365 Message Centerโ and is attempting to entice the end-user to click on a link that will allow them to recover โblocked emailsโ. However, there is no real โblocked emailsโ and once the user clicks on the link, a malicious phishing site will come up in order to steal credentials.
As is evident in the below screenshot, the attacker is using a โSlack referrer URLโ to delivery their phishing site. By โhitchhikingโ Slackโs legitimate URL domain, it allows the attacker to bypass multiple security layers, masking itself as a legitimate site.
So, what is a referrer URL?
The referrer URL appears in the first part of the URL, and it identifies the address of the webpage (i.e. the URL) which is linked to the resource being requested. In other words, it refers to the address of the previous web page that leads to the current requested page.
Once the victim clicks on the link and passes the referrer, the page will successfully redirect to the final page which is a well-designed phishing site (see below image), attempting to look like a Microsoft 365 log-in page and steal credentials.
