We have identified a new targeted phishing campaign in which cybercriminals attempted to attack manufacturing companies. The attack employed a multi-stage approach — before sending the phishing link directly, the attackers engaged in correspondence with the victim to lower their guard. The email texts were apparently generated using large language models. As of this post’s publication, the attack is still ongoing, so we recommend staying vigilant!
Phishing scheme
The attackers attempt to pose as potential clients. The emails are sent from addresses registered on free email services — these services do not have a known bad reputation, and are often actually used for business correspondence, especially by small companies. Regardless of the victim’s native language (and we’ve seen attacks targeting companies in Russia, the Czech Republic, Malaysia, and Egypt), the attackers’ emails are always written in English.
In the first email, the attackers ask questions about the products being offered, citing actual product names. This indicates thorough preparation for the attacks — the attackers do not send identical emails to manufacturing companies with similar profiles, but rather carefully research publicly available information about each victim online. If someone responds to the first email, the attackers continue the correspondence. Sometimes, before moving directly to their objective — extracting credentials from corporate email accounts — they exchange several messages in which, as a distraction, they clarify certain details or ask additional questions. But more often than not, they send the phishing link as early as the second email.
The attackers send detailed specifications for a product they claim to be interested in, ask if the product can be engraved according to a sketch, or use any other pretext to try to get the victim to open the file they’ve sent.
Phishing website
In reality, there is no file at all. The phishing site that opens when victim clicks the link mimics a popular cloud service for working with PDF documents. The “Download” button leads to a login form where the victim is asked to enter their work email address and password to access the confidential file. Of course, this is “for security purposes.” If an employee of the targeted company doesn’t stop to think about why they would enter their corporate login credentials on a completely unrelated website — one that clearly has no way of verifying their authenticity — then their email address and associated password will be sent to the attackers’ server.
How to stay safe?
Modern phishing attacks are becoming increasingly sophisticated and, thanks to attackers’ use of AI tools, even more convincing. That’s why, first and foremost, we always recommend periodically raising employee security awareness. And to ensure they have to put this knowledge into practice as rarely as possible, it is recommended to deploy a security solution at the email gateway level. Specifically, our Kaspersky Secure Mail Gateway detects this phishing attack even before the attackers move on to the actual phishing attempt.
phishing

Tips