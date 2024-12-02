The group behind the attack campaign has been operating since at least 2007. For each phishing attack, the group created two fake domains: one very similar to that of a third-party website known to the victims and one similar to the domain used by the targeted organization’s Outlook Web App deployment.

The attackers then crafted phishing e-mails with a link to the fake third-party website where they hosted non-malicious JavaScript code whose purpose was twofold: to open the actual legitimate website in a new tab and to redirect the already opened Outlook Web application browser tab to a phishing page.

This technique does not exploit any vulnerabilities and works in any popular browser. However, two conditions need to be met: the victims need to use Outlook Web application and they need to click on the embedded links from Outlook Web application’s preview pane.

Among those targeted with this technique were employees of the US private military company ACADEMI, formerly known as Blackwater; the Organization for Security and Co-operation in Europe (OSCE); the US Department of State; US government contractor SAIC; a multinational company based in Germany; the Vatican Embassy in Iraq; broadcasting companies in several countries; the defense ministries of France and Hungary, Pakistani military officials; Polish government employees, and military attachés from various countries.

The phishing baits used by the attackers included well-known events and conferences that their victims were interested in.