Financial organizations in the U.S., Canada, Europe, Hong Kong and other countries are being impacted by the novel MirrorBlast phishing campaign launched by Russia-linked threat group Evil Corp, or TA505, since early last month, a Morphisec report revealed in SecurityWeek
The threat group leverages phishing emails
to deliver a malicious document before using OneDrive or SharePoint file share request lures containing a Google feedproxy URL, which redirects to phony OneDrive or SharePoint sites. The fake sites and required SharePoint sign-in help attacks avoid detection, according to researchers.
Morphisec discovered that one of the pages where the SharePoint lure redirects, and other artifacts were tied to TA505. “TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals. This new attack chain for MirrorBlast is no exception for TA505 or for other innovative threat groups,“ said Morphisec.