Microsoft warns about SEABORGIUM phishing attack that befriends you first to rob you later

A keyboard key with a black logo containing a skull and two intertwined swords

The Microsoft Threat Intelligence Center (MSTIC) has put out a warning about a phishing campaign dubbed "SEABORGIUM". Although not new as it has been around since at least 2017, Microsoft feels it has observed enough of SEABORGIUM and the ways it operates to put out a comprehensive guidance that could help potential victims avoid it.

The dangerous thing about the campaign is the way the threat actors begin the attack. At first, they have been seen to conduct reconnaissance or thorough observation of the potential victims using fraudulent social media profiles. Several email addresses are also created to impersonate real IDs of authentic persons so as to contact the targets.

Below is an example of a recent email sent out by the threat actors to the targets in order to gain trust and build rapport:

Seaborgium Phishing campaign friendly email

After that, Microsoft says that the SEABORGIUM actors delivers malicious URLs directly in an email or via attachments as you can see below, often imitating hosting services like Microsoft's own OneDrive:

Seaborgium Phishing campaign OneDrive attachment
Seaborgium Phishing campaign

For example, here is an example (below) of an attachment that has no preview available which can allure targets into clicking on the malicious link that directs the victims to the phishing portals:

A malicious link that looks like failed preview in SEABORGIUM attack

Microsoft has noted the use of EvilGinx phishing kit in this case to steal the credentials of victims. The image below shows the phishing portal designed by SEABORGIUM to deceive victims into stealing their login information.

Seaborgium Phishing campaign phishing portal

In this overall SEABORGIUM campaign, Microsoft has mainly observed data exfiltration and information operation. The Redmond giant has explained the impact of the former in detail:

Data exfiltration and impact

  • Exfiltration of intelligence data: SEABORGIUM has been observed exfiltrating emails and attachments from the inbox of victims.
  • Setup of persistent data collection: In limited cases, SEABORGIUM has been observed setting up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data. On more than one occasion, we have observed that the actors were able to access mailing-list data for sensitive groups, such as those frequented by former intelligence officials, and maintain a collection of information from the mailing-list for follow-on targeting and exfiltration.
  • Access to people of interest: There have been several cases where SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties. The nature of the conversations identified during investigations by Microsoft demonstrates potentially sensitive information being shared that could provide intelligence value.

You can find more details in the official blog post on Microsoft's site here.

Report a problem with article
Signal App
Next Article

Signal phone numbers of 1,900 users exposed in Twilio phishing attack

21h2
Previous Article

Windows 10 Release Preview Build 19044.1947 (KB5016688) adds language management, and more

4 Comments - Add comment

Advertisement