A large phishing campaign has captured 400,000 Office 365 credentials by using compromised commercial email marketing services to avoid spam filters. The Compact Phishing operation has been using compromised accounts with services including SendGrid, MailGun and Amazon SES.
Commercial email marketeers work hard to ensure their email systems have a high reputation, so their emails are not marked as spam. As a result, they make an attractive target for phishing gangs who then use those systems and their stored email lists to send malicious emails.
Since December 2020, it is thought that the Compact Phishing campaign has harvested 400,000 Office 365 credentials by sending spoofed Zoom meeting invitations via the compromised commercial email marketing services. The credential harvesting website used by the criminals is sophisticated enough to capture the geo-location of the victims IP address so the criminals can imitate the same region (using a VPN endpoint) when attempting to access the victim’s email account later.
Microsoft Security Intelligence warns that:
Phishers continue to find success in using compromised accounts on email marketing services to send malicious emails from legitimate IP ranges and domains. They take advantage of configuration settings that ensure delivery of emails even when the email solution detects phishing
Accounts with email marketing services can be secured with 2-factor authentication to help prevent their compromise.
With these kinds of phishing emails more likely to slip past spam filters, it is important that staff are reminded through Security Awareness training how to spot suspicious emails and avoid falling victim to phishing attacks.