Fake PhishAlarm Installation Emails

Summary

The NJCCIC received reports of fake PhishAlarm installation emails attempting to be delivered to New Jersey State employees. The email claims to be the organization’s IT team notifying employees that they will be installing an Outlook add-in application called Phish Alarm and has a subject line that appears as “IT security check (PHAlarm).” The email sender may appear legitimate; however, it is appended with a subdomain, such as “bad-homburg.de,” as seen in the above example.   

The body of the email includes legitimate instructions regarding how to use the "report a phish” add-in and requests that the recipient click the included link to "apply for the security upgrade." In this example, the link navigates to a malicious website requesting the user’s credentials, which are sent to the threat actor if submitted. Additionally, if the “submit” button on the webpage is clicked, multiple processes begin fingerprinting the user’s operating system and a malicious script(s) downloads in the background. Finally, a process verifies that the script downloaded successfully, displaying a “your submission was successful” message to the target. The command and control (C2) IPs may have been associated with Emotet and Hive ransomware in the past.

Recommendations

The NJCCIC recommends users educate themselves and others on this and similar threats to prevent future victimization. Users are advised to refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, before taking any action. Phishing emails and other malicious cyber activity can be reported to the NJCCIC and the FBI Internet Crime Complaint Center (IC3).