Phishing Catch of the Day: Your Inbox Will be Deactivated

In this series, our security experts will give a behind the scenes look at phishing emails that were reported to PhishER, KnowBe4’s Security Orchestration, Automation and Response (SOAR) platform. We will go in-depth to show you real-world attacks and how you can forensically examine phishing emails quickly.

Each Phishing Catch of the Day will focus on a single phish attempt and describe:

  1. What context or pretexting exists between employee, hacker and email.
  2. What red flags one can look for before falling victim.
  3. What attack vector is being utilized and for what purpose.
  4. What steps to take to inoculate users from similar attacks.

The Initial Phish Breakdown

PhishER Reported Phishing Email

Figure 1: PhishER Screenshot of Reported Phishing Email

Early in the morning on Feb 11th, a Knowbe4 employee received an email that claims their inbox will be deactivated if they do not confirm their email address. The sender of this phish is hoping to generate an emotional reaction, causing a user to react without thinking.

Phishing Warning Signs and Red Flags

The best approach to consistently identify phishing is to simply ask oneself “Is this phishing?” whenever viewing an email or electronic message. The brain will naturally jump into a detective mindset and become resilient to emotional reaction.

Scroll up to the first screenshot, put on your detective cap, and try to find as many red flags as you can before continuing!

Red Flags for Phishing Email

Figure 2: Red flags found in the phishing email

Let’s gather more information from the headers of the email. Clicking on the Headers tab in PhishER will give you all headers pulled from the reported message in an easy-to-read format and highlights ip addresses and authentication information for you. Take a look at the Arc-Authentication-Results to figure out the original, non-spoofable, sender location.

Phishing Email Authentication Results PhishER

Figure 3: Arc-Authentication-Results from the Headers tab in PhishER

It appears that the email is coming from an Amazon SES server and the originating ip is You may be able to reach out to Amazon and report abuse if necessary, especially if this is an ongoing problem from this specific address.

Phishing Attack Vector and Road to Compromise

Opening up the link found in the email, we see the landing page below.

Phishing Email Landing Page Example

Figure 4: Phishing email landing page

Notice the “NOPE” at the top and the fill-in for “nope@nope .com”. This is pulled from the ‘#’ anchor passed in to the page from the email URL. The page then uses javascript to style the form and add any icon found in Google images for the user’s email domain. This is to provide some familiarity to a victim and to imitate a generic login page that an individual might trust.

phishing email address pass-through

Figure 5: Anchor passed in from the URL in the email body

Upon entering their credentials, the page will run a js script to verify that the password and email fields are not empty and send the form contents to a remote server in Indonesia (which may explain why the email had been sent outside US business hours).

Phishing email js script

Figure 6: JS code to POST user entered credentials to a remote server

Phishing domain WHOIS results

Figure 7: WHOIS of the domain found in the POST request

Conclusions and Recommendations

The attack described above is a perfect example of credential phishing. This is a tactic where a hacker will route you to a landing page that imitates a popular or important browser application in hopes that, when you enter your username and password, they can pocket the credentials to use at a later date.

This attack can be particularly harmful to your organization because your end users are usually unaware that they have compromised their account! A malicious actor can utilize this access for weeks without detection because any activity looks to come from a legitimate account.

If you’re a KnowBe4 customer, you can find this phishing template under the IT Category on the KMSAT platform labeled, “IT: IT Support Email Shutdown (Link) (Spoofs Domain)”.

It’s important to ensure your users are staying alert of the latest attacks. Frequent phishing security tests and new-school security awareness training can help your users actively apply training techniques in their day-to-day job functions.


What’s the Information Stolen in a Phishing Attack Really Worth?

Once a scammer tricks their victim out of web credentials, credit card details, or online access to a bank account, the details collected are worth plenty by simply selling them on the dark web.

The cybercriminal industry is much like regular businesses; each one specializes in a particular product or service and has no interest in doing “everything”. For example, when a phishing attack successfully yields online credentials to Office 365, in many cases, the credentials are sold by the initial attacker, rather than utilized by them to further launch attacks.

Why? Because it’s a lot easier to make a quick buck and repeat the process using automated tools than to develop a complex multi-step attack campaign.

According to the 2020 Dark Market Report: The New Economy report from security vendor Armor, those stolen details are worth quite a bit on the dark web:

  • A credit card in the US can fetch as much as $12. One in the EU is worth as much as $35.
  • The value of cloned ATM cards are based on the bank account balance. For example, the ATM card associated with an account worth $10K in it would be worth between $600-800.
  • Paypal account credential values follow the account’s balance, with credentials to a $1000 account valued at $100.
  • Even social media accounts have value, with Twitter leading the pack at $16 per account

In every case above, the details purchased are used to then be used by the next bad guy. It’s an ecosystem where many cybercriminals have found a way to plug themselves in by simply doing the work of fooling victims into giving up information and then selling it off to the highest bidder.

Phishing attacks remain one of the most prevalent ways attackers steal these details. Teaching user to be vigilant while at work and home (which, for many, is the same place today) is a necessary step using new school Security Awareness Training. Those that undergo training are mindful of the potential harm an email or website can cause and are constantly watching for anything that appears to be abnormal, suspicious, or downright malicious in nature – avoiding the attack and keeping their details secure.


Beware of Fake Forwarded Phishes

There are many specific, heightened challenges of spear phishing emails coming from compromised, trusted third parties. Trusted third-party phishing emails usually come from the legitimate sender’s email account, which is under control of a malicious hacker. The challenges of these types of spear phishing emails were discussed previously

But the risks from a compromised, trusted third-party account don’t always go away when the trusted third party gets cleaned up and the hacker is removed. In fact, the threats from a trusted third-party compromise can last for months to years. The related spear phishing attack called a ‘fake forwarded email’ is an example.

This particular type of phish arrives with subject line and message body text belonging to a previous, genuine conversation held between two legitimate parties. The message text is usually a partial or full conversation from a previously discussed thread, which often happened months to years ago. Even though this type of email usually arrives from a new, illegitimate email address, often times, the receiver’s innate familiarity with the conversation thread makes the receiver accidentally miss the new sender’s email address. It’s what the phisher is hoping for and the whole reason for this type of spear phishing attack.

These types of phishing emails will always include a new request for the receiver, to either visit a particular included URL link or open a file attachment. The message to the sender requesting action is usually something simple and short, such as “Here’s that document you requested” or “This link has the invoice you were asking about.” Many times, the action instruction has nothing to do with the included thread. I’ve often been surprised about how disjointed the request is with the original thread, but the phishers are apparently having some success with them or they wouldn’t keep using them.


All the normal anti-phishing defenses, including good and frequent security awareness training, apply. But it’s important to share these types of phishing attacks with everyone so they know about them. It’s also always important to check the sender’s email address, even if the email seems like part of a continuing thread. It’s one thing to educate and discuss and another to test if people really are looking at the sender’s FROM email address when they get sent a recognizable thread. So, test this scenario as part of your regular simulated phishing campaigns. Pick an organizational-wide email thread that got a lot of traffic and back and forth conversation with lots of participants within the company. Then send it from an external, nearly look-a-like email address and see who falls for it. Real spear “phishermen” seem to think it works.

This is also a great chance to see if your best anti-phishing “champions” who hardly ever get tricked by a real or simulated phishing test do as well on a simulated fake forwarded email. For your champions, pick a more focused email thread that they were personally involved in instead of a company-wide thread. You might have to enlist another recipient you know who frequently corresponds with them.

Fake forwarded emails are one of the most popular types of spear phishing. Don’t let a real one be the first time your users are tested.