Scammers pose as employees of private equity firm to steal Office 365 credentials
- They are posing as employees from firms like Crossplane Capital and Edgemont Partners to lure their victims.
- In order to create a sense of urgency, the email includes a signed NDA.
Scammers have been found impersonating employees of a private equity firm in a new phishing campaign. They are posing as employees from firms like Crossplane Capital and Edgemont Partners to lure their victims.
How does the scam work?
Discovered by researchers from PhishLabs, the scam involves cybercriminals posing as either of the private equity firms and submitting non-disclosure agreements (NDA).
- Multiple phishing emails that are sent in a simple format to execute the scam.
- Researchers note that the scammers behind the scam use a combination of impersonation of real employees and PE firms or VCs, an attachment, and a single line of text that does not has any grammatical errors.
- In order to create a sense of urgency, the email includes a signed NDA which contains an image-based link similar to those used for online file-sharing services.
Adding a pinch of authenticity to evade
To make it less suspicious, the URL for NDA uses a recently registered domain that impersonates the domain of real Private Equity firms. The look-alike fake domains are:
- hxxps://www.crossplanecapitals[.]org, and
All of these links redirect the victims to hxxps://serversecuredhttp[.]com.
The site poses as Box - which is a content management and collaboration site commonly used to share documents. It instructs the victim to login using their Office 365 account in order to download the document.
“The look-alike domain with the ‘s’ is used in the link to the facade document (not visible in the screenshot),” explained researchers.
Identifying the red flags
Organizations should follow the following action to safeguard themselves against active campaign:
- Scan for indicators such as the malicious links across all user inboxes;
- Implement email filtering measures to block delivery of spoofed emails;
- Block web traffic associated with the indicator;
- Reset Office 365 credentials of individuals that have fallen victim to such emails or malicious URLs.