Mimecast Logo
M365 Threat Scan Angebot einholen

    Phishing of Awareness Training Brands

    16 December 2024

    Key Points

    What you'll learn in this notification

    Prevent the loss of credentials to phishing scams impersonating Awareness Training platforms.

    • Campaigns impersonating KnowBe4 and Phish Insight by Trend Micro.
    • The lures focus on emails prompting users to complete security training
    • The goal is to obtain credentials


    As threat actors constantly find creative and convincing ways to exploit trust and familiarity in their phishing campaigns, Mimecast threat researchers have identified a recent trend involving the impersonation of well-known security awareness training platforms such as KnowBe4 and Phish Insight. Since these platforms are widely used by organizations, they are ideal cover for attackers seeking to harvest credentials or spread malware.

    A large portion of these phishing campaigns have employed domains that closely resemble legitimate ones, such as knowbe4.de.com and phishinsight.sa.com. Both domains have recently been registered and utilize Contabo GmbH's infrastructure to send emails.

    Additionally, some of the campaigns using the same theme spoof the legitimate domains; however, checks such as SPF, DKIM, and DMARC help filter out most of these threats. Below are a couple of examples observed and detected by Mimecast



    Awareness-Training-Impersonation-img-01 copy.webp Awareness-Training-Impersonation-img-2png.webp


    The links all redirect to a phishing page requiring the users to authenticate with their Microsoft credentials.



    Awareness-Training-Impersonation-img-03.png


    IOC’s

    Targets

    Global, All sectors

    Sending email addresses

    training@phishinsight.sa[.]com
    adobesign@phishinsight.sa[.]com
    do-not-reply@knowbe4.de[.]com
    do-not-reply@knowbe4.de[.]com
    do-not-reply@[companyname]knowbe4.com

    Sending IP’s

    87.120.120.90
    87.120.120.91
    87.120.120.92
    5.189.187.63

    URL Domains

    concur.it[.]com
    adobesign.sunhanlaw[.]com
    adobesign.bendlegal[.]com
    accounts[.]knowb4[.]us
    documents[.]wry-law[.]com

    Recommendations

    The increase in phishing campaigns impersonating security awareness training brands highlights the need for organizations to stay alert and act. It's vital to help staff recognize and report suspicious emails while also strengthening technical defenses such as email authentication and monitoring for threats. Collaborating with hosting providers and sharing intelligence across the cybersecurity community can go a long way in disrupting these attacks. By staying informed, using the right tools, and responding quickly, organizations can better protect themselves against these ever-evolving threats.

    • Share updates on emerging phishing tactics to help employees recognise suspicious emails.
    • Search your phishing/URL logs to determine if you have been a victim of this style of phishing attack using the published IOCs
    • Ensure SPF, DKIM and DMARC checks are being conducts on all incoming emails and ensure your domain records are up to date.
    Zurück zum Anfang