Phishing messages originated from a Linux server hosted on Microsoft Azure and were sent through PHP Mailer and 1&1 email servers. Spam was also sent through email accounts that had been previously compromised to make messages appear to be from legitimate sources.
"While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees' credentials," Check Point says.
The attackers' infrastructure includes a web of websites, backed by the WordPress content management system (CMS), that were hijacked. Check Point says that each domain was used as "drop-zone servers" for processing incoming, stolen credentials.
However, once stolen user data was sent to these servers, it was saved in files that were public and were indexed by Google -- allowing anyone to view them through a simple search.
Each server would be in action for roughly two months and would be linked to .XYZ domains that would be used in phishing attempts.
"Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites' well-known reputations," the team noted. "The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors."
Based on a subset of roughly 500 stolen credentials, the researchers found a wide range of target industries, including IT, healthcare, real estate, and manufacturing. However, it appears that the threat actors have a particular interest in construction and energy.
Check Point reached out to Google and informed them of the credential indexing.