Warning: significant increase in attacks via e-mail [CISO, 15.11.2021] Compromised Exchange servers at communication partners for phishing wave
The N-CERT (Lower Saxony CERT) and the Bundesamt für Sicherheit in der Informationstechnik (BSI) are warning of personalised phishing emails that originate from compromised Exchange servers at communication partners.
The threat exceeds the “Emotet” waves from 2019/2020, but works according to the same pattern – only now different malware is distributed.
Forensic investigations of known cases indicate that the affected Exchange servers were already infected in advance before the MS patches were applied and the malware remained undetected there for a long time. Applying patches does not eliminate any previous infection of the systems.
An infected Exchange Server sends e-mails with harmful content to partner institutions as legitimate communication partners.
The e-mails are usually replies to currently running conversations, in which the cyber attackers embed a greeting message including a URL with malicious content. The text is written in good German and is often specifically adapted to the special recipients (social engineering).
The recipient can hardly recognise such delivered e-mail as spam, since he himself is the initiator of the mail traffic and the sender is a legitimate partner.
N-CERT shares the BSI’s opinion about a higher risk of infection than with the “Emotet” campaigns.
Please check the links sent to you carefully before clicking on them and also check all documents sent to you carefully.
If you have any doubts, please contact the IT Service Desk at telephone 391-55555 or by e-mail at firstname.lastname@example.org.
Please report obvious phishing e-mails at email@example.com (“Forward as attachment”).