Washington nonprofits’ email systems breached by phishers in March 6th attack

The Microsoft-based email sys­tems of sev­er­al Wash­ing­ton-based non­prof­its and at least one trib­al nation were breached today in what appears to the North­west Pro­gres­sive Insti­tute team to be a well-exe­cut­ed, alarm­ing mass phish­ing cam­paign tar­get­ing insti­tu­tions that serve the peo­ple of the Pacif­ic Northwest.

Begin­ning ear­ly this morn­ing, NPI staff began receiv­ing a series of odd­ly-word­ed emails con­tain­ing sus­pi­cious-look­ing images with the head­er “You have an eFax mes­sage” with a “fax sum­ma­ry” table and a but­ton say­ing “Pre­view PDF Here.”

Emails con­tained sub­ject lines such as “Approved State­ment from [Orga­ni­za­tion Name]” and “New State­ment from [Orga­ni­za­tion Name]”. They also con­tained what our team believes are the typ­i­cal, pre­con­fig­ured, nor­mal sig­na­ture blocks belong­ing to each of the indi­vid­u­als work­ing with­in the breached orga­ni­za­tions, con­tain­ing names, phone num­bers, and in one case, a con­fi­den­tial­i­ty warning.

Because the emails were sent using the accounts of legit­i­mate users in legit­i­mate orga­ni­za­tions, they passed through NPI’s robust spam fil­ter­ing defens­es and were deliv­ered to NPI staff inbox­es rather than being inter­cept­ed or marked as Junk.

The images in the emails were hyper­linked to Drop­box Paper URLs.

I fol­lowed the links in a sand­boxed, total­ly brand new Win­dows vir­tu­al machine to see what the phish­ers were up to. The Drop­box Paper URLs went to what is effec­tive­ly a gate­way page for the bad guys. This gate­way page con­tained sev­er­al head­ings, which read: “Check below for the vital doc­u­ment shared” and “Open Full PDF Here Or Down­load” along with a fake dis­claimer: “This doc­u­ment has been scanned for virus­es by Nor­ton Antivirus Secu­ri­ty.” Here’s a screenshot:

Click­ing on the link opened anoth­er URL which Microsoft Edge pro­claimed to be unsafe. I was glad to see that — the big red scare screen should save a lot of peo­ple from the clutch­es of these villains.

Since I had the lux­u­ry of being able to probe things from a sand­boxed vir­tu­al machine, I bypassed the warn­ing in the hopes of see­ing more.

That yield­ed a web page at windows.net (mean­ing, host­ed by a Microsoft Azure instance… how dev­il­ish!) dressed up to look like a Microsoft OneDrive modal screen, say­ing “Ver­i­fy your iden­ti­ty” and “You’ve received a secure file.” (Uh huh.) The only field on the page was a sin­gle text box read­ing “Enter email.”

I entered a fake email address and clicked “Next.” I was then pro­mot­ed for a pass­word. It is evi­dent that the phish­ers’ objec­tive is to steal users’ cre­den­tials so that they can per­pe­trate more breach­es. A vicious cycle, to be sure!

NPI has report­ed this evil Azure instance to Microsoft to get it shut down. Microsoft­’s Azure Safe­guards Team has opened a case and is investigating.

Accord­ing to email head­ers, each of the mali­cious mes­sages that NPI received today was sent through Microsoft­’s host­ed email ser­vice Outlook.com, which sug­gests that who­ev­er is respon­si­ble for these breach­es and phish­ing cam­paigns chose to tar­get local orga­ni­za­tions that are Microsoft 365 customers.

With­out know­ing more about the secu­ri­ty pos­ture of the affect­ed orga­ni­za­tions and their employ­ees, it is dif­fi­cult to draw con­clu­sions about why these simul­ta­ne­ous or near simul­ta­ne­ous breach­es occurred. We can only theorize.

One pos­si­bil­i­ty is that some or all of the breached accounts that the phish­ers used to send emails to NPI staff today were pro­tect­ed by reused pass­words that had been exposed in pre­vi­ous data breach­es, allow­ing the mali­cious actors to log in on the first attempt and begin their evil phish­ing campaigns.

Anoth­er pos­si­bil­i­ty is that some or all of the breached accounts’ cre­den­tials were stolen through a pre­vi­ous wave of phish­ing attacks per­pe­trat­ed by these villains.

It is deeply con­cern­ing that mul­ti­ple local orga­ni­za­tions were breached in one day. Our team can’t recall see­ing any­thing quite like this in our near­ly twen­ty year his­to­ry. It’s very pos­si­ble that the extent of the breach­es goes beyond the orga­ni­za­tions that we know about based on the emails that we received today.

NPI has been reach­ing out to the affect­ed orga­ni­za­tions to ensure they are aware they were beached and offer what­ev­er sup­port we can.

We will also be fol­low­ing up with the Non­prof­it Asso­ci­a­tion of Wash­ing­ton and the Office of the Sec­re­tary of State to share infor­ma­tion and assist Microsoft in inves­ti­gat­ing and prob­ing these dis­turb­ing attacks further.

If you run or are involved with a non­prof­it or small busi­ness or sim­i­lar enti­ty, we rec­om­mend doing the fol­low­ing to strength­en your secu­ri­ty posture:

• Have all per­son­nel, or an IT admin­is­tra­tor for your orga­ni­za­tion, check users’ sent mes­sages fold­er to see if there is any­thing sus­pi­cious there.
• Deploy a trust­wor­thy pass­word man­ag­er across your entire orga­ni­za­tion if you have not already. Cre­ate an account for each employ­ee or team mem­ber that you have with­in that man­ag­er. NPI rec­om­mends the firms 1Password, Bit­war­den, and Dash­lane, in that order.
• Require all per­son­nel to change their Microsoft 365 and Google and oth­er pass­words to some­thing gen­er­at­ed by the man­ag­er, to ensure that every account cor­re­spond­ing to a user is pro­tect­ed by a strong password.
• Require two-fac­tor authen­ti­ca­tion to be enabled on all accounts and direct per­son­nel to set up either an authen­ti­ca­tor app or hard­ware secu­ri­ty key as their sec­ond fac­tor — avoid SMS! For shared accounts, like Twit­ter or Insta­gram, set up the sec­ond fac­tor as the pass­word man­ager’s one time code gen­er­a­tor with­in the entry for the req­ui­site set of credentials.

It’s also not a bad idea to remind peo­ple to care­ful­ly scru­ti­nize links and images in incom­ing mail before open­ing them. A sin­gle wrong click or tap can some­times be dis­as­trous, and in any orga­ni­za­tion, you’re only as strong as your weak­est link.

Stay safe out there and be sure to get help if you detect any mali­cious activity!