In the fall of 2021, several security companies noted how many Microsoft Exchange systems were exposed to Proxyshell attacks (a combination of vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
In the last week, the attacked systems have started to be used to send phishing attacks against organizations that have previously had email contact with the exploited system. The phishing attacks are in many cases relatively poorly designed, but there is still a high risk that they will succeed in deceiving recipients as they are sent in response to ongoing or previous email correspondence. In many cases, the language of the fake replies sent is also adapted to the language used in previous communications. The fact that the phishing emails are sent from otherwise legitimate email systems also increases the risk of them bypassing many email filters.
The examples found by Nimblr contain a short message referring to a link. The link leads to a ZIP file which in turn contains an Excel file with a malicious macro. When the file is opened, an image is presented that prompts the user to activate the macro.
When the macro is executed, several malicious files are downloaded, followed by a process that makes it difficult to both detect and remove the malicious code. Then, step by step, the malware takes over more and more rights on the network and, as a final step, a ransomware is activated that encrypts the files on the infected network.
This type of attack relies heavily on tricking end users into performing various actions. Nimblr offers an online training platform designed to increase end-user security awareness and minimize the risk of successful attacks. The solution combines interactive IT security training with simulated attacks, practical exercises, and up-to-date content on the latest threats in a continuous training program.