Nespresso Domain Hijacked in Phishing Attack Targeting Microsoft Logins

Perception Point researchers have identified a new phishing campaign utilizing compromised accounts to target users through an open redirect vulnerability discovered within a Nespresso domain. Nespresso is a coffee manufacturer. This redirect method allows attacks to bypass standard endpoint detection security measures assuming that these measures do not check for hidden or embedded links. The attack flow begins with a phishing email sent from an already-compromised email account, In this campaign attackers pass the SPF check by utilizing legitimate domains. This provides evidence that the attacker was using compromised domains with a good history to make the phishing emails appear more genuine. The Open Redirect Vulnerability in Nespresso’s site was used in this campaign because the site allows its data to be externally controlled. The phishing email urges the victim to check their recent Microsoft 365 login activity. When clicked, the link takes the user to the infected Nespresso URL and then is redirected to an HTML file. This HTML file is a fake verification page used to masquerade the malicious intent of the email further and it then redirects the user again to a spoofed Microsoft login page. The purpose of the fake login page is to harvest credentials that can be used in future malware deployments and deceptive campaigns.

Security Officer Comments:
This activity cluster contains attacks carried out with multiple different infected sender domains with the commonality being the Nespresso redirect. The account takeover and redirect vulnerability optimize the attacks’ appearance of legitimacy. Utilizing an intrusion detection system that scans for suspicious files and URLs embedded within initial email attachments is an effective option to prevent future evasive phishing attempts similar to this campaign.

Suggested Corrections:
The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. Users should adhere to the following recommendations:
  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam, and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately
Perception Point Researchers have published a general guide to help prevent phishing attempts here.