Attackers impersonating Quickbooks on the Microsoft 365 platform create a sense of urgency to compel their victims to “promptly” pay fake invoices allegedly from a legitimate vendor, thereby opening them up to a future malicious act.
Such phishing attacks are growing increasingly common, according to blog post from researchers at Abnormal Security who have observed 900 “attacks in the mailboxes of over 20 different customers,” with the expectation that the rate will continue to tick upward as users flock to Quickbooks online services.
These latest attacks use spoofing to bypass traditional mail filters and gain legitimacy, sending emails that seem to originate from [email protected]. The bad actors then prompt recipients to click on “Review and Pay,” which redirects them to http://parkburgerkuwait.com/loss[dot]php.
The attack is effective in part because the email is received on the same day the invoice is due, prompting the recipient to possibly act in haste without close scrutiny of the details. Among the red flags that may go overlooked: The suspicious landing page link or the headers that “reveal that the true sender domain is ‘airtelbroadband.in,’ which fails authentication,” said Abnormal researchers.
The bad actors have put considerable effort into creating a convincing email that Abnormal said, “is expertly framed,” using Inuit Quickbooks logos and links.
“Additionally, the email states at the bottom to check with the business owner before paying to avoid fraud, giving the recipient a false sense of security as it seems counterintuitive for an attacker to warn their target about their potentially malicious email,” the researchers said.