The CrowdStrike global IT outage was an unfortunate event for millions worldwide ranging from IT services downtimes to airport delays and serious healthcare disruptions.
Threat actors swiftly exploit real-world events, launching targeted phishing attacks that capitalize on recent disruptions in emails. By leveraging the context of these incidents, they establish credibility and prey on employees’ fear and stress. The Security Lab at Hornetsecurity recently detected several new targeted phishing campaigns exploiting the CrowdStrike IT outage, using sophisticated social engineering tactics and harvesting Microsoft credentials.
In this blog, we will share real-world examples of the phishing attacks that we’ve intercepted in the past week, providing you with the knowledge to identify and avoid them, thereby safeguarding your business during these vulnerable times.
Real-World Phishing Campaigns: What to Look out for
In the phishing attempts listed below, we discuss key characteristics that reveal their malicious intent. As attackers persist in exploiting the CrowdStrike bug, they will likely adapt and use variations of these tactics.
Sender information
The emails claim to be from “Department Internal” and use urgent subject lines about a “Global Outage” and “IT-Ticket” issues.
Sense of urgency
- They create a sense of urgency by mentioning a “GLOBAL IT OUTAGE REPORT” in all caps.
- The phishing emails falsely claim that a global IT outage occurred, blaming it on Microsoft and Windows updates.
- They state that general services have been disabled as a precaution, adding legitimacy to the fake scenario.
- The emails mention potential impacts on banks, airlines, and media outlets to increase concern.
Call to action
A “RE-FIX ALL ISSUES” button is prominently displayed, likely leading to a malicious link.
Legitimacy appearance
- The HTML attachment names include terms like “sys_update” to appear legitimate.
- When opened, the HTML attachment shows a nearly identical message to the email body.
Malicious links
- The link in the HTML attachment leads to a suspicious external site (share-eu1.hsforms.com), abusing HubSpot forms.
- This page shows a generic “Click here if you’re not automatically redirected” message.
- The final destination appears to be a fake Microsoft login page aiming at harvesting legitimate users credentials.
- It displays a Windows logo and email icon to mimic a legitimate Microsoft site.
- A CAPTCHA is present, likely to give a false sense of security to the targeted user and to evade automated detection systems.
- When the user passes the CAPTCHA, a fake M365 login page is displayed.
How to Prepare your Organization for Phishing Attacks
As we’ve demonstrated in this article, threat actors are constantly looking to exploit real-world events that would be known by the average end-user. Here are practical measures your organization can implement to enhance your defenses and ensure your business remains secure against these sophisticated and opportunistic threats.
Train your employees
Security awareness training will train your staff to be wary of emails from unknown or unexpected sources, be cautious of emails that create a sense of urgency, avoid clicking on links, and avoid downloading attachments from suspicious emails.
Implement Advanced Threat Protection
Hornetsecurity is pioneering the threat intelligence capability to actively track and analyze the impact of significant world events on the cybersecurity landscape in real-time. Our proactive approach allows us to adapt our protection measures quickly, keeping you one step ahead of emerging threats and ensuring your organization stays secure.
Advanced Threat Protection (ATP), available within 365 Total Protection is specifically designed to neutralize these risks before they reach your inbox. Start your free trial today.
FAQ
What are the main tactics used in phishing attacks exploiting the CrowdStrike incident?
Phishing emails exploit the CrowdStrike incident by creating a sense of urgency with fake “Global Outage” reports, using urgent subject lines, and misleading links that lead to fake Microsoft login pages.
How can I identify phishing emails related to real-world events like the CrowdStrike outage?
Look for emails from unknown senders with urgent messages about global IT issues, suspicious links, and attachments with names like “sys_update.” Always verify the legitimacy of such communications.
What measures can I take to protect my organization from these phishing attacks?
Train employees to recognize and avoid suspicious emails, implement advanced threat protection solutions like Hornetsecurity’s 365 Total Protection, and stay updated with threat intelligence to enhance your cybersecurity defenses.
