Netskope named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge. Get the report

close
close
  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,000 customers worldwide including more than 25 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

Still Highest in Execution.
Still Furthest in Vision.

Learn why 2024 Gartner® Magic Quadrant™ named Netskope a Leader for Security Service Edge the third consecutive year.

Get the report
Netskope Named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge graphic for menu
We help our customers to be Ready for Anything

See our customers
Woman smiling with glasses looking out window
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

On Patents, Trolls, and Innovation
In this episode host Emily Wearmouth chats with Suzanne Oliver, an intellectual property expert, and Krishna Narayanaswamy, co-founder and CTO of Netskope, about the world of patents.

Play the podcast
On Patents, Trolls, and Innovation
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn about Security Service Edge
Four-way roundabout
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working

Amazon-themed PDF Phishing, Abusing LinkedIn and Twitter, Targets Microsoft Live Outlook Users

Oct 26 2023

Summary

In August 2023, Netskope Threat Labs highlighted an increase in downloads of PDF phishing attachments in Microsoft Live Outlook, caused by a series of phishing campaigns targeting users of the email service. We took a closer look and found that these campaigns are mostly Amazon-themed scams with a few Apple and IRS-themed phishing attempts sprinkled throughout. Just like in our previously reported phishing blog posts, attackers are abusing free services in these campaigns. In this campaign, they abuse conversion trackers and redirectors to evade detection. Additionally these campaigns specifically targeted personal Microsoft Live Outlook accounts in North America, Southern Europe, and Asia. Let’s take a closer look at the details of these campaigns:

Amazon-themed phishing campaign

Netskope Threat Labs recently analyzed the cause of an increase in malware downloads from Microsoft Live Outlook and found that a major contributor was a variety of Amazon-themed phishing PDF attachments. The sender purports to be a member of the Amazon support team notifying recipients that their account has been suspended due to incorrect billing information. In order to supposedly rectify the situation, the users need to update their billing information by clicking the hyperlink. The attacker is abusing different redirectors with URL shorteners to hide the actual malicious URL and evade detection.

Some of the phishing links used in these campaigns lead to a compromised website that mimics PayPal’s page, where they ask users to fill up personal information and credit card details.

In some of the other scam campaigns we analyzed, even though the PDF attachment is requesting their targets to re-enter their Amazon billing information, some of the links redirect to other sites unrelated to Amazon, like login pages for Ionos and Netflix.

A small subset of phishing PDF attachments we analyzed purport to be from Apple and used similar social engineering tactics and the same redirector domains and URL shorteners. Another phishing campaign uses an IRS-themed scam, claiming that the recipient has a tax refund that can be collected when they click the link. These campaigns also used social media redirectors, like Linkedin Smart Links and Twitter, as well as free ecommerce marketing email services to evade detection. Let’s dig a bit deeper into how attackers used these redirectors:

LinkedIn Smart Links and Twitter used as redirectors

The attackers on these phishing campaigns are abusing social media platforms LinkedIn and Twitter as redirectors to the phishing websites. Attackers abuse LinkedIn Smart Links, which is a feature to package and share files and websites to prospects and customers. However they were abused to redirect targets to phishing websites. Using both LinkedIn Smart Links and Twitter as redirectors can help bypass email scanners and can also provide insights about the users who click on the malicious links, which might be useful to them in their future phishing campaigns.

QR Code Generator Used As a URL Shortener

Another redirector service these phishing campaigns use is QR Code Generator PRO. This is a free online tool that allows users to generate QR codes to open different resources. For these campaigns, attackers only abuse the URL shortening feature, not the QR code itself. To shorten a URL using this tool, you have to create a website QR code type and input the malicious website as the resource. Once the QR code is created, instead of sharing the code, you can instead share the generated shortened URL.

Abusing free ecommerce marketing email services

These phishing campaigns abused e-commerce platforms’ click tracking domains to serve the redirectors that lead to the phishing sites. From the samples collected by Netskope Threat Labs, Klavio and Privy were the most commonly abused platforms. Both platforms provide free trial usage, which makes it lucrative to attackers, who often take advantage of free services. We suspect that attackers also leverage the visibility these platforms provide, using the insights to improve targeting.

Conclusions

These PDF phishing campaigns are targeting personal Microsoft Live Outlook accounts and are using the common social engineering technique of creating an urgent call to action. They abuse legitimate redirector domains and URL shorteners like Twitter, LinkedIn, and QR Code Generator PRO to evade detection. Phishing attacks like this can be avoided by never entering sensitive information (like passwords or banking details) after clicking on a link. Instead, you should always browse directly to the sites in question. For example, if you believe there is a billing issue with your Amazon account, login directly to amazon.com to verify.  Netskope Threat Labs will continue to track and respond to this set of phishing campaigns.

Recommendations

Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams:

  • Inspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
  • Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall in categories that can present higher risk, like Newly Observed and Newly Registered Domains.

IOCs

All the URLs  related to these campaigns can be found in our GitHub repository.

author image
Jan Michael Alcantara
Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.

Stay informed!

Subscribe for the latest from the Netskope Blog