Security News > 2022 > March > Exchange Servers Speared in IcedID Phishing Campaign
The ever-evolving banking trojan IcedID is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts.
The actors behind IcedID - as well as other spearphishers - have previously used phishing emails that "Reuse previously stolen emails to make the lure more convincing," researchers wrote.
Not only is the threat actor now using compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from, but the delivery of the malicious payload also has shifted in a way that can execute malware without the user even knowing, researchers said.
Previously the infection chain most commonly associated with IcedID phishing campaigns has been an email with an attached password-protected ZIP archive that contains a macro-enabled Office document, which executes the IcedID installer.
The new campaign starts with a phishing email that includes a message about an important document and includes a password-protected ZIP archive file attached, the password for which is included in the email body.
"Many email security systems use reputation of senders to block malicious email without being able to assess the email itself," Das noted.
News URL
https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/
Related news
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Week in review: Backdoor found in XZ utilities, weaponized iMessages, Exchange servers at risk (source)