Blue-Green Button Email Phishing Campaign

A new, advanced spear-phishing campaign has been observed targeting governmental organisations across the UK. The group or groups operating the campaign appear to be performing extensive reconnaissance on potential targets to ensure higher success rates.

The malicious emails are sent from known contacts and use subject lines taken from recent email conversations. The messages themselves typically consist of a colourful (often blue or green) button element encouraging the user to interact with them in order to view the full image. Additional text included within or below the button can consist of timestamps, email addresses or strings of random text.

Users who interact with the button are presented with a login page, spoofing their organisation, asking for email address and account password. At the time of publication, it is unclear if the user is redirected to a legitimate login page if they provide their details at this stage.

Accounts compromised by this campaign have been observed being accessed remotely over POP or IMAP in order to monitor the affected mailbox and sent items, as well as to forward the phishing email to the user’s contacts via SMTP.

There are also reports suggesting that legacy Office 365 accounts may be compromised simply by interacting with the button, although this has not been confirmed as of the time of publication.