Monday, April 1, 2019

Another day, another phishing email.

This morning ITS detected a phishing email and quarantined the email. A redacted version of the email is shown below.

1 Apr 2019 05:56:19 -0700
From: "manhattan.edu" <admin@support.com>
To: ██████.██████@manhattan.edu
Message-ID: <20190401055619.AF1B5635B08A35FE@support.com>
Matched rules


Dear ██████.██████,    
Your Email Account (██████.██████@manhattan.edu) password is set to expire 
in 3 days, it will expire on. 
*4 Apr 2019*.
We recommend you to click the Email Settings below to confirm your email 
password to avoid login interruptions.
Email Setings
Best Regards,
*Note:**Please do not ignore this message.*
2019 ⓒ manhattan.edu account team.


The link, which is removed in the above, appears to go to google.com but actually redirects to a malicious site.

https://www.google.com/url?hl=3Den&amp;q=3Dhttps://yahoo.com

The above link is similar to the malicious URL, and uses yahoo.com instead of the malicious site. Google is currently blocking this redirection, which is for the best.

Screenshot showing Google blocking this redirection phishing exploit.

ITS reported the email with full headers using the Google reporting form. Also ITS blocked access to the malicious website from our campus. Any off-campus user can still accidentally visit the website though. Thankfully this email was not delivered to a single inbox within our organization.