A U.S. Supreme Court phishing campaign has been discovered that sends a fake subpoena to appear in court as a lure to obtain Office 365 details.

The emails are customized and are addressed to the victim and claim to be a writ issued by the Supreme Court demanding the recipient attend a hearing. This is a targeted campaign and not a scattergun approach that attempts to obtain the credentials of high value targets such as C-Suite users.

The emails have a link that the recipient is asked to visit to view the subpoena. Clicking the link in the email directs the user to a malicious website where they are asked to enter their Office 365 credentials to view the subpoena.

The domain used has not been seen before and, as such, it is not recognized as malicious by many security solutions, including the default anti-phishing measures of Office 365. The scammers have also deployed  multiple redirects to hide the destination URL in another attempt to thwart anti-phishing defenses.

Before the user being directed to the phishing page, they are shown a CAPTCHA page. CAPTCHA is used to prevent web visits by bots, but in this instance, it may be used to add legitimacy to the phish to make the request appear authentic. The CAPTCHA page is real, and the user must properly select the images in order to proceed. The page also includes the name of the user, further adding a more genuine feel to the scam. The CAPTCHA may also be a additional attempt to make it difficult for the destination URL to be reviewed by security solutions.

This phishing campaign is realistic and uses urgency to trick the user to take action quickly, rather than stopping to think about the request. There are indications that this is a scam, such as the domain name which clearly has nothing to do with the U.S. Supreme Court, and a few grammatical and spelling errors which would not be expected of any Supreme Court request.

However, the sender name in the email was spoofed to make it look like it was sent by the “Supreme Court”, the request is certain to trick some recipients into clicking the link, and the landing page is sufficiently realistic to fool busy employees into sharing their login credentials.

Exchange Online protection (EOP), which is supplied by Microsoft free of charge with all Office 365 accounts, often fails to spot these zero-day attacks.

To enhance protection against new phishing campaigns, an anti-spam solution is required that uses predictive techniques, threat intelligence feeds, and machine learning algorithms. SpamTitan leverages these and several other layers of protection to identify zero-day phishing, malware, and ransomware campaigns and email impersonation campaigns.

SpamTitan can be placed on top of Microsoft’s Exchange Online Protection to serve as an extra layer to your email security defenses to ensure that more malicious emails are prevented and never land in end users inboxes.

For additional information on SpamTitan and how the solution can keep your group’s inboxes free from phishing threats, give the TitanHQ team a call as soon as you can.