"Instagram Impersonators Target Thousands, Slipping by Microsoft's Cybersecurity"
Cybercriminals used a sophisticated phishing campaign impersonating Instagram to target students at national educational institutions in the US. They used a valid domain to steal credentials, bypassing both Microsoft 365 and Exchange email protections. According to the Armorblox Research Team, the socially engineered attack, which targeted nearly 22,000 mailboxes, used the personalized handles of Instagram users in messages informing would-be victims that there was an "unusual login" on their account. The login lure is nothing new for phishers, but the messages were sent from a legitimate email domain, making it much more difficult for both users and email-scanning technology to flag messages as fraudulent, according to the researchers. They explained that traditional security training advises looking at email domains before responding for any clear signs of fraud. In this case, a quick scan of the domain address would not have alerted the end user of fraudulent activity due to the validity of the domain. Because phishing has been around for so long, attackers know that most people who use email are aware of it and thus know how to spot fraudulent messages. As a result, threat actors have had to become more creative in their tactics to fool users into thinking phishing emails are legitimate. Furthermore, those of university age who use Instagram are likely to be among the most knowledgeable Internet users, having grown up with the technology, which could be why attackers in this campaign were so careful to appear genuine. According to the researchers, the campaign's combination of spoofing, brand impersonation, and a legitimate domain allowed attackers to send messages that successfully passed not only Office 365 and Exchange protections, but also Domain Keys Identified Mail (DKIM), Domain-based Message Authentication Reporting and Conformance (DMARC), and Sender Policy Framework (SPF) alignment email authentication checks. This article continues to discuss the socially engineered campaign using a legitimate domain to send phishing emails to university targets.