Threat actors are exploiting the death of Queen Elizabeth II in phishing attacks to lure their targets to malicious sites designed to steal their Microsoft account credentials.
Besides Microsoft account details, the attackers also attempt to steal their victims' multi-factor authentication (MFA) codes to take over their accounts.
"Messages purported to be from Microsoft and invited recipients to an 'artificial technology hub' in her honor," Proofpoint's Threat Insight team
revealed today.
In the campaign spotted by Proofpoint, the phishing actors impersonate "the Microsoft team" and try to bait the recipients into adding their memo onto an online memory board "in memory of Her Majesty Queen Elizabeth II."
After clicking a button embedded within the phishing email, the targets are instead sent to a phishing landing page where they're asked first to enter their Microsoft credentials.
"Messages contained links to a URL redirecting credential harvesting page targeting Microsoft email credentials including MFA collection," Proofpoint added.
The attackers use a new reverse-proxy Phishing-as-a-Service (PaaS) platform
known as EvilProxy promoted on clearnet and dark web hacking forums, which allows low-skill threat actors to steal authentication tokens to bypass MFA.
United Kingdom's National Cyber Security Centre
warned on Tuesday about an increased risk of cybercriminals exploiting the Queen's death for their own gain in phishing campaigns and other scams.
"While the NCSC – which is a part of GCHQ – has not yet seen extensive evidence of this, as ever you should be aware it is a possibility and be attentive to emails, text messages, and other communications concerning the death of Her Majesty the Queen and arrangements for her funeral," the NCSC said.
While this malicious activity seems limited, the NCSC has seen such phishing attacks and is currently investigating them.
