Calendar invites used to hide phishing links
The Cofense Phishing Defense Center (PDC) has unearthed a new phishing campaign in multiple enterprise email environments protected by Proofpoint and Microsoft that delivers .ics calendar invite attachments containing phishing links in the body.
The researchers assume that the attackers believe putting the URL inside a calendar invite would help the messages to avoid automated analysis.
The email carries a subject line of 'Fraud Detection from Message Center' in order to attract curious users. The sender display name is 'Walker', but the email address appears to be legitimate, possibly indicating a compromised account belonging to a school district.
Cofense has observed the use of several compromised accounts used to send this campaign. Using a compromised real account originating from Office 365 allows the email to bypass email filters. The invite is hosted on the legitimate Sharepoint.com site, an issue that continues to be problematic for Microsoft.
The 'fraud detection' lure used here doesn't really chime with fact that it's being sent as a calendar invite, which should raise suspicions among recipients. But it's an indication that scammers are always on the look out for new attack vectors in order to trick unsuspecting users.
A detailed description of the attack along with screen shots of what it looks like can be found on the Cofense blog.