Phishers Using Fake Board Meeting "Reschedule" Emails to Prey Upon Executives

business meeting

Phishers are sending out attack emails that use a rescheduled business meeting as a lure to compromise senior executives’ business email accounts.

Cloud security platform Greathorn first observed this campaign on 31 January 2019. According to its analysis, an attack begins when a business executive receives a phishing email with the subject line “New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update).” The email purports to originate from the company’s CEO and asks that the recipient fill out a Doodle poll for the purpose of rescheduling a board meeting.

Whenever a targeted executive clicks on the “Participate now” button included in the email, they’re redirected to a fake Office 365 login page designed to steal their account credentials. That phishing site uses “web.core.windows.net” as its primary domain.

What makes this attack campaign particularly effective is that it employs direct spoofing to prey upon executives. That is to say it spoofs the same “from” email address as the recipient’s “to” email address. It also uses “Meetings” as the sender’s display name, a tactic which makes the email look as a legitimate meeting reschedule request generated by the CEO.

The email looks even more legitimate on a mobile device. Lorita Ba, vice president of marketing at Greathorn, explains why in a blog post:

Importantly, on a mobile device, the native Outlook client overwrites the display name to say “Note to self,” further complicating the attack and making it even more likely for a recipient to interact with it.

Those behind the campaign have targeted CEOs, CFOs, CTOs and other senior executives in organizations of diverse sizes and industry types. Many of the attack emails sent to Greathorn’s customers ended up in recipients’ junk boxes. However, the messages were still accessible to end users, meaning they could have still fallen for the scam.

Greathorn wasn’t the only security company that’s recently detected these types of attack emails. On 31 January, ZixProtect identified digital attackers’ attempts to spear phish executives with a message about scheduling a board meeting. The scheduling link included in the emails also redirected recipients to a page designed to steal access to their business email accounts. In that particular wave, Zix’s advanced threat solution blocked 100 percent of the attack attempts.

The bad actors weren’t done, however.

Less than a week after the first wave, Zix analysts noticed a similar attack campaign targeting senior executives. These emails used “Zoom Meetings” as the display name for the sending email address and came with the subject line “Your meeting attendees are waiting!” along with what appeared to be a link to join the Zoom meeting.

When a recipient clicked on the “Goto Meeting” link, they similarly ended up on a site designed to steal their Outlook credentials.

ZixProtect was able to block both of these campaigns by using certain characteristics that these operations share with one another as well as other attack operations identified back in 2018. These global filters weren’t the only defensive line in operation, either. ZixProtect’s anti-spoofing layer also flagged the emails as suspicious.

Given digital attackers’ persistence in their efforts to target senior executives, organizations have an incentive to invest in a solution that can provide multiple levels of email security. This tool should be able to analyze attack emails for known campaign patterns, for instance. It should also be able to prevent spoofing techniques that are similar in nature to those described above.

Defend against today’s digital threats with a multi-layered email security platform.