New phishing campaign targets employees’ credentials with a fake meeting request from CEO

• A new phishing campaign purporting to be from CEO and stating that the board meeting has been rescheduled is going rounds.
• This fake meeting phishing campaign targets high-level executives such as CFOs, CTOs, and SVPs.

A new phishing campaign purporting to be from CEO and stating that the board meeting has been rescheduled requests users to take part in a poll to choose a new date for the meeting. This fake meeting phishing campaign targets high-level executives such as CFOs, CTOs, and SVPs across a number of industries in an effort to steal logins and passwords from them.

Email spoofing

This phishing campaign was observed by researchers from a security firm GreatHorn. The researchers noted that the scammers behind this phishing campaign spoof the name and email address of the CEO of the targeted company and send phishing emails to the company’s executives.

The phishing emails’ subject line includes the company name and a note about the board meeting. The body of the email states that the board meeting has been rescheduled and requests participation from executives to choose a new date. Employees are more likely non-suspicious as they believe that the email has come from their CEO.

“Importantly, on a mobile device, the native Outlook client overwrites the display name to say “Note to self,” further complicating the attack and making it even more likely for a recipient to interact with it, researchers from GreatHorn explained in a blog.

Redirecting employees to a phishing site

• Upon receiving the email, if the executives click on the link to select a new date for a board meeting, they are redirected to a phishing page.
• The phishing page appears to be a login page for Microsoft Outlook and Office 365.
• Upon entering usernames and passwords to log in, the entered credentials are collected by the scammers.
• The scammers could then use the collected credentials to compromise the account and for further malicious campaigns

With the phishing emails targeting the senior executives of the company, a successful attack could provide attackers with access to highly sensitive data across the corporate network.

“The attack was found (and eliminated) in 14% of GreatHorn’s customer base. In addition to blacklisting the domain, GreatHorn correctly identifies the destination as suspicious in its Link Protection module,” GreatHorn reported.

Researchers noted that the phishing campaign is still active therefore warn users to be aware of the campaign and to be suspicious of any emails with a subject line - “New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)”.