- Attackers abused Mimecast’s URL rewriting feature to mask malicious links in phishing emails
- More than 40,000 emails reached more than 6,000 organizations, especially consulting and technology.
- The campaign bypassed filters globally, with the majority of victims in the US, although Mimecast says there is no flaw.
Cybercriminals are abusing a legitimate Mimecast feature to send convincing phishing emails to their victims, on a large scale.
This is according to cybersecurity researchers Check Point, who claim to have seen more than 40,000 such emails sent to more than 6,000 organizations around the world, in a span of just two weeks.
First, criminals would create messages that closely resemble email notifications from well-known brands (SharePoint, DocuSign, or other e-signature notices), paying attention to details such as logos, subject lines, and display names. Nothing in the messages stands out from routine notification emails.
Orientation to consulting, technology and real estate
At the same time, they would create phishing landing pages that would capture credentials or send malware. These URLs are hidden behind one or more legitimate tracking and retargeting services, in this case, Mimecast.
Because this service rewrites links to route them through a trusted domain, attackers send their malicious links so that the final email shows a Mimecast domain instead of the actual destination.
As a result, phishing emails successfully bypass email security solutions and filters and land directly in the inboxes of their victims.
Check Point states that this campaign affected numerous sectors, but some, where the exchange of contracts and invoices is a daily occurrence, were especially affected. These include consulting, technology and real estate. Other notable mentions include healthcare, finance, manufacturing and government.
The majority of victims are in the United States (34,000), followed by Europe (4,500) and Canada (750).
Mimecast emphasized that this is not a vulnerability, but rather a legitimate feature that is being abused.
“The attack campaign described by Check Point leveraged legitimate URL redirection services to obfuscate malicious links, not a Mimecast vulnerability. Attackers abused trusted infrastructure, including Mimecast’s URL rewriting service, to mask the true destination of phishing URLs. This is a common tactic where criminals leverage any recognized domain to evade detection.”
Through cyber news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
