Threat actors are exploiting the death of Queen Elizabeth II in phishing attacks to lure their targets to sites that steal their Microsoft account credentials.
Besides Microsoft account details, the attackers also attempt to steal their victims’ multi-factor authentication (MFA) codes to take over their accounts.
“Messages purported to be from Microsoft and invited recipients to an ‘artificial technology hub’ in her honor,” Proofpoint’s Threat Insight team revealed today.
In the campaign spotted by Proofpoint, the phishing actors impersonate “the Microsoft team” and try to bait the recipients into adding their memo onto an online memory board “in memory of Her Majesty Queen Elizabeth II.”
After clicking a button embedded within the phishing email, the targets are instead sent to a phishing landing page where they’re asked first to enter their Microsoft credentials.
“Messages contained links to a URL redirecting credential harvesting page targeting Microsoft email credentials including MFA collection,” Proofpoint added.
The attackers use a new reverse-proxy Phishing-as-a-Service (PaaS) platform known as EvilProxy promoted on clearnet and dark web hacking forums, which allows low-skill threat actors to steal authentication tokens to bypass MFA.
United Kingdom’s National Cyber Security Centre warned on Tuesday about an increased risk of cybercriminals exploiting the Queen’s death for their own gain in phishing campaigns and other scams.
“While the NCSC – which is a part of GCHQ – has not yet seen extensive evidence of this, as ever you should be aware it is a possibility and be attentive to emails, text messages, and other communications concerning the death of Her Majesty the Queen and arrangements for her funeral,” the NCSC said.
While this malicious activity seems limited, the NCSC has seen such phishing attacks and is currently investigating them.
Sources have also told BleepingComputer that the NCSC is aware of phishing messages where the attackers attempt to trick potential victims into handing over sensitive information, including banking details.
“Cyber criminals often play on your emotions to get you to click, and may also refer to high profile current events,” the agency added.
“The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.”