NPI's Cascadia Advocate

Offering commentary and analysis from Washington, Oregon, and Idaho, The Cascadia Advocate provides the Northwest Progressive Institute's uplifting perspective on world, national, and local politics.

Monday, March 6th, 2023

Washington nonprofits’ email systems breached by phishers in March 6th attack

The Microsoft-based email sys­tems of sev­er­al Wash­ing­ton-based non­prof­its and at least one trib­al nation were breached today in what appears to the North­west Pro­gres­sive Insti­tute team to be a well-exe­cut­ed, alarm­ing mass phish­ing cam­paign tar­get­ing insti­tu­tions that serve the peo­ple of the Pacif­ic Northwest.

Begin­ning ear­ly this morn­ing, NPI staff began receiv­ing a series of odd­ly-word­ed emails con­tain­ing sus­pi­cious-look­ing images with the head­er “You have an eFax mes­sage” with a “fax sum­ma­ry” table and a but­ton say­ing “Pre­view PDF Here.”

"You have eFax message" phishing campaign hook image

“You have eFax mes­sage” phish­ing cam­paign hook image (sent to NPI)

Emails con­tained sub­ject lines such as “Approved State­ment from [Orga­ni­za­tion Name]” and “New State­ment from [Orga­ni­za­tion Name]”. They also con­tained what our team believes are the typ­i­cal, pre­con­fig­ured, nor­mal sig­na­ture blocks belong­ing to each of the indi­vid­u­als work­ing with­in the breached orga­ni­za­tions, con­tain­ing names, phone num­bers, and in one case, a con­fi­den­tial­i­ty warning.

Because the emails were sent using the accounts of legit­i­mate users in legit­i­mate orga­ni­za­tions, they passed through NPI’s robust spam fil­ter­ing defens­es and were deliv­ered to NPI staff inbox­es rather than being inter­cept­ed or marked as Junk.

The images in the emails were hyper­linked to Drop­box Paper URLs.

I fol­lowed the links in a sand­boxed, total­ly brand new Win­dows vir­tu­al machine to see what the phish­ers were up to. The Drop­box Paper URLs went to what is effec­tive­ly a gate­way page for the bad guys. This gate­way page con­tained sev­er­al head­ings, which read: “Check below for the vital doc­u­ment shared” and “Open Full PDF Here Or Down­load” along with a fake dis­claimer: “This doc­u­ment has been scanned for virus­es by Nor­ton Antivirus Secu­ri­ty.” Here’s a screenshot:

Screenshot of a malicious resource hosted on Dropbox Paper

What users who click on the “eFax” graph­ics see when they arrive at Drop­box Paper (NPI screenshot)

Click­ing on the link opened anoth­er URL which Microsoft Edge pro­claimed to be unsafe. I was glad to see that — the big red scare screen should save a lot of peo­ple from the clutch­es of these villains.

Since I had the lux­u­ry of being able to probe things from a sand­boxed vir­tu­al machine, I bypassed the warn­ing in the hopes of see­ing more.

That yield­ed a web page at windows.net (mean­ing, host­ed by a Microsoft Azure instance… how dev­il­ish!) dressed up to look like a Microsoft OneDrive modal screen, say­ing “Ver­i­fy your iden­ti­ty” and “You’ve received a secure file.” (Uh huh.) The only field on the page was a sin­gle text box read­ing “Enter email.”

Malicious Azure instance collecting user credentials

What users see if they pro­ceed to the URL they’re direct­ed to go to at Drop­box Paper, iron­i­cal­ly host­ed by Microsoft (NPI screenshot)

I entered a fake email address and clicked “Next.” I was then pro­mot­ed for a pass­word. It is evi­dent that the phish­ers’ objec­tive is to steal users’ cre­den­tials so that they can per­pe­trate more breach­es. A vicious cycle, to be sure!

NPI has report­ed this evil Azure instance to Microsoft to get it shut down. Microsoft­’s Azure Safe­guards Team has opened a case and is investigating.

Accord­ing to email head­ers, each of the mali­cious mes­sages that NPI received today was sent through Microsoft­’s host­ed email ser­vice Outlook.com, which sug­gests that who­ev­er is respon­si­ble for these breach­es and phish­ing cam­paigns chose to tar­get local orga­ni­za­tions that are Microsoft 365 customers.

With­out know­ing more about the secu­ri­ty pos­ture of the affect­ed orga­ni­za­tions and their employ­ees, it is dif­fi­cult to draw con­clu­sions about why these simul­ta­ne­ous or near simul­ta­ne­ous breach­es occurred. We can only theorize.

One pos­si­bil­i­ty is that some or all of the breached accounts that the phish­ers used to send emails to NPI staff today were pro­tect­ed by reused pass­words that had been exposed in pre­vi­ous data breach­es, allow­ing the mali­cious actors to log in on the first attempt and begin their evil phish­ing campaigns.

Anoth­er pos­si­bil­i­ty is that some or all of the breached accounts’ cre­den­tials were stolen through a pre­vi­ous wave of phish­ing attacks per­pe­trat­ed by these villains.

It is deeply con­cern­ing that mul­ti­ple local orga­ni­za­tions were breached in one day. Our team can’t recall see­ing any­thing quite like this in our near­ly twen­ty year his­to­ry. It’s very pos­si­ble that the extent of the breach­es goes beyond the orga­ni­za­tions that we know about based on the emails that we received today.

NPI has been reach­ing out to the affect­ed orga­ni­za­tions to ensure they are aware they were beached and offer what­ev­er sup­port we can.

We will also be fol­low­ing up with the Non­prof­it Asso­ci­a­tion of Wash­ing­ton and the Office of the Sec­re­tary of State to share infor­ma­tion and assist Microsoft in inves­ti­gat­ing and prob­ing these dis­turb­ing attacks further.

If you run or are involved with a non­prof­it or small busi­ness or sim­i­lar enti­ty, we rec­om­mend doing the fol­low­ing to strength­en your secu­ri­ty posture:

  • Have all per­son­nel, or an IT admin­is­tra­tor for your orga­ni­za­tion, check users’ sent mes­sages fold­er to see if there is any­thing sus­pi­cious there.
  • Deploy a trust­wor­thy pass­word man­ag­er across your entire orga­ni­za­tion if you have not already. Cre­ate an account for each employ­ee or team mem­ber that you have with­in that man­ag­er. NPI rec­om­mends the firms 1Password, Bit­war­den, and Dash­lane, in that order.
  • Require all per­son­nel to change their Microsoft 365 and Google and oth­er pass­words to some­thing gen­er­at­ed by the man­ag­er, to ensure that every account cor­re­spond­ing to a user is pro­tect­ed by a strong password.
  • Require two-fac­tor authen­ti­ca­tion to be enabled on all accounts and direct per­son­nel to set up either an authen­ti­ca­tor app or hard­ware secu­ri­ty key as their sec­ond fac­tor — avoid SMS! For shared accounts, like Twit­ter or Insta­gram, set up the sec­ond fac­tor as the pass­word man­ager’s one time code gen­er­a­tor with­in the entry for the req­ui­site set of credentials.

It’s also not a bad idea to remind peo­ple to care­ful­ly scru­ti­nize links and images in incom­ing mail before open­ing them. A sin­gle wrong click or tap can some­times be dis­as­trous, and in any orga­ni­za­tion, you’re only as strong as your weak­est link.

Stay safe out there and be sure to get help if you detect any mali­cious activity!

Adjacent posts

  • Enjoyed what you just read? Make a donation


    Thank you for read­ing The Cas­ca­dia Advo­cate, the North­west Pro­gres­sive Insti­tute’s jour­nal of world, nation­al, and local politics.

    Found­ed in March of 2004, The Cas­ca­dia Advo­cate has been help­ing peo­ple through­out the Pacif­ic North­west and beyond make sense of cur­rent events with rig­or­ous analy­sis and thought-pro­vok­ing com­men­tary for more than fif­teen years. The Cas­ca­dia Advo­cate is fund­ed by read­ers like you and trust­ed spon­sors. We don’t run ads or pub­lish con­tent in exchange for money.

    Help us keep The Cas­ca­dia Advo­cate edi­to­ri­al­ly inde­pen­dent and freely avail­able to all by becom­ing a mem­ber of the North­west Pro­gres­sive Insti­tute today. Or make a dona­tion to sus­tain our essen­tial research and advo­ca­cy journalism.

    Your con­tri­bu­tion will allow us to con­tin­ue bring­ing you fea­tures like Last Week In Con­gress, live cov­er­age of events like Net­roots Nation or the Demo­c­ra­t­ic Nation­al Con­ven­tion, and reviews of books and doc­u­men­tary films.

    Become an NPI mem­ber Make a one-time donation

  • NPI’s essential research and advocacy is sponsored by: