Microsoft Email Security Eluded by Instagram Credential Phishing Attacks
Threat Actors Impersonating Instagram Tried Hacking 22,000 Students.
Malicious actors operated a brand impersonation phishing campaign on 22,000 students and managed to bypass the Microsoft email security system. The hackers were aiming to obtain the victim`s Instagram credentials in order to gain full access to their accounts.
Unsettling enough, the message was not recognized as a potential threat by native email security controls that Microsoft provides.
The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DMARC email authentication checks.
Almost Perfect Spoofing of Instagram Did the Trick
The Instagram message the cybercriminal prepared is a perfect example of email spoofing. It got the right logo, the text appeared written in the right font, and it was really a challenge for both human and machine to realize that something was… phishing.
The message urged the victim to act rapidly and avoid a supposable unpleasant situation. It looked just like a normal email that you usually get from Instagram support, but after the user clicked a certain link inside the message, a fake landing page, that also looked as if it belonged to the social media platform, was opened.
The next step the threat actors were hoping the user will do was hit the ”This wasn`t me button”. From there on, the victim would have been directed to another fake landing page that had a request for personal data to be filled in.
Effective Security Measures That Protect You from Brand Impersonation Scams
An important thing that may keep you safe from this kind of social engineering campaign is checking if the message really came from the domain you thought it came from. But to be sure you`re not going to be the next victim of a phishing attack, take Sami Elhini`s advice, a biometrics specialist who claims that
an email from instagramsupport.net should be viewed as suspicious as Instagram’s domain is instagram.com. Where a service provides support, it may be advisable to contact support directly if you are unsure what action to take.
In an increasingly digitalized world, as threat actors become more and more creative in developing new tools to steal data, cybersecurity education is vital for understanding and being able to recognize a risk factor.