Security researchers from Armorblox uncovered an ongoing credential phishing campaign exploiting the brand of email encryption provider Zix. The analysis claim that the campaign has targeted several organizations across different sectors, including education, financial services, energy, health care, and many state and local government agencies. Zix is a security technology company that provides global organizations with email encryption and email data loss prevention services.
What is Credential Phishing Attack?
In credential phishing attacks, threat actors distribute malicious URLs via emails impersonating popular brands. Once a victim clicks on the URL, it either downloads malware on the victim device or automatically redirects the user to a hacker-operated site that steals user credentials.
Attackers Impersonated Zix Brand
The researchers stated that attackers sent malicious emails to the targets by spoofing an encrypted message notification from Zix. The malicious links in the email directed the victims to download an HTML file onto the system. Zix stated the campaign targeted more than 75,000 mailboxes by evading security detections across Office 365, Google Workspace, Exchange, and Cisco ESA.
Attackers reportedly sent emails titled “Secure Zix message,” claiming that the victim had received a secure message from Zix. The email recommended the victim click on the Message button to view the secure message. The spam emails were sent via thefullgospelbaptist.com domain.
Attackers distributed their malicious links across a select group of employees from various departments by leveraging different attack techniques, including:
- Social engineering
- Brand impersonation
- Replicating existing workflows
- Drive-by download
- Exploiting legitimate domain
“While the spread is seemingly randomized, attackers might also have deliberately chosen their victims to be across departments and to contain a good mix of senior leadership and individual contributors. These employees are unlikely to communicate often with each other when they receive an email that looks suspicious,” the researchers said.
Security experts from Armorblox also recommended users to:
- Implement augment native email security with additional controls
- Train the workforce to identify social engineering and other phishing tactics
- Follow password management best practices across all departments in the organization
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.)