BlueVoyant Identifies Credential Harvesting Campaign Targeting the Manufacturing Sector

BlueVoyant’s Threat Fusion Cell (TFC) uncovered a focused campaign targeting the advanced manufacturing sector. This campaign aims to steal Microsoft credentials, by spoofing Microsoft’s login page, to phish for potentially compromising sensitive information. 

How Does the Attack Work? 

The attack begins with a spearphishing email that eventually leads to the unsuspecting recipient receiving a file named Product List RFQ, NDA & Purchase Terms 2024.shtml (also observed as Periscope Holdings Product List RFQ, NDA & Purchase Terms 2024.shtml and R.S.Hughes Product List RFQ, NDA & Purchase Terms 2024.shtml). At least some of the lure files impersonated two large companies, Periscope Holdings, which is a large procurement solutions company serving the public sector, and R.S. Hughes, a North American distributor of industrial and safety supplies. The request for quote (RFQ) lure coupled with a nondisclosure agreement (NDA) and price list may suggest there is earlier interaction between the attacker and the target, however, those details remain unconfirmed. Nevertheless, once clicked, the victim is directed to a Microsoft-spoofed login page with their username (from email address) already entered and prompted to enter their password. 

This fake page is designed to harvest Microsoft credentials on the target network.  

Who’s Being Targeted? 

This campaign appears to be well planned and executed, with a focus on the advanced manufacturing sector, particularly the United States and Canada. In addition, the domains used to make the attack seem real impersonated well-known companies in the manufacturing sector. 

BlueVoyant researchers uncovered at least 15 targeted victims employed at advanced manufacturing firms from March to August. 

The low volume of identified campaign artifacts, highly narrow target selection within North America and the advanced manufacturing industry, and the creation of look-alike domains that laid dormant for several months after registration suggest an advanced adversary. 

What Should You Do? 

For those in the manufacturing sector and related industries, it’s crucial to stay vigilant. In addition, any industry can be similarly targeted.  

Here are some steps you can take: 

• Monitor for Lookalike Domains: The adversary has leaned into using similar looking characters to hide fake domains. For example, 'l' instead of i, 'rn' for 'm', or other two-letter swaps in registering lookalike domains for manufacturers. Regularly check for domains that closely resemble your or another company’s domain and act if any are found. You may also consider working with a digital risk protection provider who can scan for impersonating websites and take them down on your behalf. 
• Educate Employees: Make sure your team is aware of spearphishing tactics and knows not to click on suspicious email attachments. Be wary of emails from previously unknown entities and verify users’ identities, when possible, outside of email/chat. In addition, these adversaries tried to harvest MFA codes, so make sure employees report any suspicious MFA activity. 
• Advanced Adversary Considerations: The advanced manufacturing sector is among the list of targeted industries by nation state actors and corporate espionage groups; both represent advanced threats and therefore employee education on this heightened risk and what it may look like is crucial.  
• Leverage Conditional Access Policies and Strong Authentication: Credential theft is much easier for attackers targeting organizations where unmanaged devices have access to cloud services such as M365. Conditional Access Policies should be implemented to restrict types of devices allowed to access sensitive data, and strong authentication methods such as certificate-based authentication or FIDO2 should be used where possible. 

Conclusion 

The advanced manufacturing sector is a prime target for sophisticated cyber-attacks. By staying informed and taking proactive measures, companies can better protect themselves against these credential harvesting campaigns. Always verify before you click and educate your teams to recognize the signs of potential phishing attempts.