A new spoofing campaign has been discovered that attacked businesses in a bid to steal their Microsoft Outlook credentials. The campaign is spoofing KnowBe4, a company that provides security awareness training for staff – Training that helps companies train their employees how to recognize a phishing attack.

The emails warn the recipient that the coming expiration of a security awareness training module is getting close. The recipient is informed that they only have one day left to finish the training. Three links are given in the email that look like, at face value, a genuine KnowBe4 URL; however, they bring the user to a phishing page on a compromised website where Outlook credentials and personal information are stolen using a realistic login page for the Outlook Web App.

Guidelines are given for conducting the training outside of the network, with the user instructed to supply their username and password before clicking the sign in button. Doing so, it is claimed, will bring the user to the training module. While the site to which the phishing email links is realistic, the giveaway sign that this is a scam is the domain. Many different URLs across a range of different sites have been used in this campaign, all of which are not linked to the security awareness training provider. However, busy employees may fail to check the URL before disclosing their details.

It is a brave move to spoof a cybersecurity company dedicated to phishing prevention; one that may trick staff into believing the email is genuine.  Any company can be spoofed in a phishing campaign. Just because the company provided services to tackle phishing does not mean that the email should not be subjected to the usual checks to prove its validity, which is something that should be emphasized in employee security awareness training modules.

Cofense, the group which reviewed the websites, report that the compromised sites have recently hosted a web shell that allowed the hackers to upload and edit files. The websites had been impacted since at least April 2020, unbeknown to the site owners. The phishing kit implemented in this campaign has been installed onto at least 30 different websites since the campaign commenced in mid-April.

Employees are sent hundreds of emails each week and spotting all phishing emails can be a complex task, especially when many phishing emails are realistic and are very similar to genuine emails that staff members are sent every day. Security awareness training is crucial, but it is also important to configure an advanced spam filtering solution that is capable of blocking virtually all (in excess of 99.9%) malicious emails.

With an advanced spam filtering solution like SpamTitan configured these emails can be stopped at source and will not be sent to end users’ inboxes, negating the danger posed.