Chase Bank Phish Swims Past Exchange Email Protections

[silversurfer]

Threat actors are impersonating Chase Bank in two phishing attacks that can slip past Microsoft Exchange security protections in an aim to steal credentials from victims — by spoofing real-life customer scenarios.
 
Researchers from Armorblox recently discovered the attacks, one of which claims to contain a credit card statement, while the other informs users that their online account access has been restricted due to unusual login activity, according to a post on the Armorblox blog posted Tuesday.
 
The first set of emails went out to 9,000 inboxes in an Armorblox customer’s environment and the other reached 8,000, Preet Kumar, senior manager of customer success at Armorblox, wrote in the post.
 
Both attacks managed to bypass two Microsoft Exchange security protections–Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO)–on their way to customer inboxes, she said.
 
“These email attacks employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users,” Kumar wrote.
 
In the first scenario, threat actors sent an email titled “Your Credit Card Statement Is Ready” with the sender name “JP Morgan Chase” with HTML stylings similar to genuine emails sent from Chase, according to the report. The email included links for the victim to see their statement and make payments.
 
“Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the email, which meant it skipped spam filtering because Microsoft determined that the email was from a safe sender, to a safe recipient, or was from an email source server on the ‘IP Allow’ list,” Kumar wrote in the report.

Read more: Chase Bank Phish Swims Past Exchange Email Protections | Threatpost