Open Spoofing

12 Febuary 2025

By Mimecast Threat Research Team

Campaign Flow

TO3028 at a glance

TO3028 is a highly organised and sophisticated threat actor, who Mimecast has recognised for their ability to develop and deploy advanced delivery techniques exploiting weaknesses in modern security systems. Operating with precision and persistence, this group has a deep understanding of email protocols, authentication mechanisms, and the complexities of cloud-based security infrastructure.

Their campaigns are planned, leveraging systematic testing procedures and specialised expertise to bypass defences and achieve their objectives. The group’s operations have evolved over years of sustained activity, showcasing a level of professionalism that mirrors legitimate enterprises.

What sets TO3028 apart is their resourcefulness and adaptability. Possibly employing specialised teams for infrastructure development, testing, and deployment, they demonstrate an unmatched capability to exploit weaknesses in email systems globally. Their campaigns, often focus on credential harvesting, employ high-volume distribution tactics paired with numerous phishing lures, designed to deceive end users. With a strategic focus on evading detection and maintaining persistent access to compromised systems, TO3028 continues to pose a significant challenge.

Innovative exploitation of ISP Email Services

TO3028’s latest campaigns revolve around the strategic abuse of ISP email services through compromised consumer routers. The process involves:

1. Router Compromise: Attackers target routers of the ISP's customers, exploiting known vulnerabilities or weak default credentials. Establishing control to configure these routers as proxy servers.
2. Proxy Server Setup: The compromised router is configured as a proxy server, routing all internet traffic from connected devices through it.
3. Spam Distribution via ISP Email Servers: The compromised router relays spam emails through the ISP's email servers, using the router's IP address as the origin.

TO3028’s exploitation of ISP email services offers several advantages for spam distribution:

Masked Origin Infrastructure: The proxy connection hides the attacker's infrastructure from spam scanning services. ISPs often passively manage their free email services, allowing attackers to maintain spamming capabilities without frequently changing infrastructure.

Unlimited Sender Spoofing: Many anti-spam services rely on sender reputation. Without sender authentication, attackers can vary sender information to evade these checks without needing new compromised credentials.

Relaxed Outbound Spam Scanning: Most ISP mail services have basic security controls and lack robust anti-spam checks, shifting the attacker's focus to inbound deliverability to their targets.
Availability: The frequent integration of new ISP mail services into the spam ecosystem suggests the attacker has readily available methods to exploit these services. Many ISPs appear to use either Zimbra or Magicmail.

High Sending Rates: The lack of authentication often results in unchecked email sending rates, enabling large-scale campaigns in short periods.

As part of the recent campaigns, we’ve observed the above template being used by TO3028 and have been testing and distributing phishing emails through the infrastructure of a major Canadian ISP, Distributel (a Bell company). They have developed techniques to relay high volumes of email traffic through the ISP’s Mail Transfer Agents (MTAs) without requiring authentication credentials. This abuse is not limited to Distributel-owned domains but extends to spoofing prominent brands such as BBC and CNN, as well as customer domains. These campaigns are primarily focused on delivering credential phishing attacks, with stolen credentials subsequently used for target surveillance and executing fraud operations.

This deliberate use of the BBC domain, alongside references to Docusign is designed to build credibility and bypass suspicion. The phishing campaign always leverage well-recognized brands to deceive the recipient into clicking on a malicious link labelled "REVIEW DOCUMENT."

Whilst the embedded URL points to Docusign, it has multiple redirects ultimately reaching a malicious destination hosted on canadacentral-01.azurewebsites[.]net.

Key observations include:

1. Legitimate Domains for Redirection:
   • The use of federation.nih.gov and www.applyweb.com as part of the heavily obfuscated redirection chain gives the illusion of legitimacy.
2. Final Malicious Destination:
   • The URL resolves to hxxps://filedocx-ejd6bncpcjhtdtgd.canadacentral-01.azurewebsites[.]net, hosted on Microsoft’s Azure infrastructure.
   • This destination is designed to present a fake DocuSign portal or credential-harvesting page, where victims would input sensitive login information.
3. Obfuscation Techniques:
   • The redirection chain uses a series of legitimate domains to hide the true malicious intent of the link which is a technique commonly used by URL encoding and long query strings make it challenging for email filters and casual users to recognize the threat.

TO3028’s operations expose systemic flaws in ISP-managed email systems and highlight the risks of weak authentication and insufficient monitoring. Their ability to adapt and integrate new tools and platforms ensures their continued success, underscoring the requirement for robust authentication policies, proactive monitoring, and improved security practices across the email ecosystem. This campaign highlights the evolving sophistication of TO3028 and their relentless pursuit of exploiting gaps in email security.

Observed Campaign Activity

Activity linked to abused ISP infrastructures highlights a gradual buildup through mid-2024, followed by a sharp increase in November and a dramatic peak in December. This pattern suggests a deliberate strategy of testing and scaling:

• Mid-2024: Likely testing of their methodology, with low-volume activity designed to fine-tune tactics.
• November–December 2024: Full-scale exploitation, coinciding with the integration of new ISP services into their spam ecosystem.

Such activity underscores TO3028’s ability to adapt their methods while systematically scaling their operations to maximize impact.

Tactics Techniques and Procedures

T1204.001 - User Execution: Malicious Link
T1566.002 - Phishing: Spear Phishing Link
T1598.002 - Phishing for Information
T1090 - Proxy: Compromise of consumer routers for email relay
T1586.001 - Compromise Accounts: Email Accounts
T1608.003 - Stage Capabilities: Install Malicious Web Content
T1070.004 - Indicator Removal on Host: Automated Spam Exfiltration

Mimecast Protection

We have identified several attributes in the recent campaigns which have been added to our detection capabilities. We continue to monitor for testing and updates made by TO3028 to ensure our customers are protected.

Targeting:

Global, all industries

Varying campaigns from this threat actor often do not exhibit related Indicators of Compromise (IOCs) due to the utilization of diverse techniques and lures, resulting in distinct attack vectors.

IOCs:

Sending Addresses

• donotreply@teksavvy[.]ca
• payoff@hysharma[.]com
• donotreply@cogeco[.]ca
• webmaster@a1[.]net
• noreply@videotron[.]com
• donotreply@distributel[.]net
• webmaster@socket[.]net

Subjects:

• Financial Statements for Q : Overview and Insights
• Hi, Payoff Letter Document Attached**
• Q3 Bonus Report - Final Commissions - September 2024
• Enroll Now: 2024 Benefits Enrollment Now Open

Recommendations

• Search through your email receipt logs to determine if any of IOC’s have been delivered to your users.
• Educate end users around the continued trend of legitimate tools being used in malicious campaigns.