Original Phishing Message
From: ewilson[@]comfortkeepers[.]com
Subject: #06272023 – 66
Tips for Detection
- If you are not expecting an email or attachment from an individual, use extra caution.
- Notice the discrepancy between the file extension .xlsx while claiming to be a fax. An emailed fax would likely be an image file or a PDF, not an Excel document.
- Always hover over links to see where they lead.
Where Did the Link Lead?
The link goes to a popular design website, canva[.]com with a hyperlinked image created by the malicious actor. Attackers frequently use known services such as Google Drive, One Drive, Canva, etc as the initial hyperlink in an email to lend credibility to the phishing message.
The link then goes to a suspicious website, https://lblawyer-1318439371[.]cos[.]ap-bangkok[.]myqcloud[.]com/lblawyer[.]html, hosting a fake Microsoft login page. Never enter your credentials on sites you do not recognize and double-check the URL to confirm it is a trusted site before logging in.
Text of Phishing Message
From: ewilson[@]comfortkeepers[.]com
Subject: #06272023 – 66
You have received an inbound secure fax from Comfort Keepers.
Print or View
Reference: Microsoft06272023.xlsx
Received & processed: Tuesday, 27 June 2023
Pages: 2
Resolution: 300dpi x 300dpi