A legitimate email newsletter program called SuperMailer has been used by threat actors to conduct a significant credential harvesting campaign, according to cybersecurity firm Cofense. The campaign has been gaining traction since January, with SuperMailer-generated emails accounting for more than 5% of credential phishing emails sent in the first half of May. The increased use of the tool is due to various attractive features that provide threat actors deep customization options, including placeholder fields for email personalization, a visual editor, multithreaded send option, compatibility with several mailing systems, and more. Although SuperMailer is a paid application designed for legitimate use, the threat actors were able to exploit its features for malicious purposes.
The unique SuperMailer coding string refers to a coding mistake made by the threat actors when crafting email templates in SuperMailer. Cofense was able to identify other indicators of compromise in the emails with the SuperMailer string, which comprised around 14% of total phishing incidents identified in May.
The phishing campaign is specifically targeting Microsoft login credentials. In recent campaigns, the attackers have created a tailored look by employing familiar email themes, such as password expiration alerts, scanned document or signature service notifications, and overdue invoices or payment reminders, alongside their customization efforts.
To ensure phishing emails successfully deceive recipients, they must also bypass the recipient’s email filtering systems. In order to achieve this, the recent campaigns generated by SuperMailer employ various strategies to evade detection by Security Email Gateways (SEGs) and other security measures. These techniques include open redirect abuse, URL randomization, varied email senders, and reply chains. The email send option makes it easy to mail across several channels quickly, and open redirects, directing users to external URLs, are used as Security Email Gateways can’t follow the redirect. URL randomization is a known technique to evade URL blocking because of the presence of suspicious strings as parts of the URL.
Faking the origins of emails and introducing email reply chains are techniques to fake reputation and thereby bypass detection both by Security Email Gateways and users. By combining SuperMailer’s customization features and sending capabilities with SEG evasion tactics, the threat actors behind the campaign have delivered tailored, legitimate-looking emails to inboxes from various industries.
Threat actors have found a working combination of tactics, refined it, and scaled it up, all within a few weeks. The fact that the emails are reaching users so consistently underscores the importance of user awareness and a robust, intelligence-driven email security program. Cofense caught the phishing campaign due to a coding mistake, but Brah Haas, a cyberthreat intelligence analyst at Cofense, cautioned that the threat actors must be taken seriously due to their ability to show sophistication through this combination of tactics.
While there is nothing wrong with SuperMailer as a tool in itself, it is unsettling when legitimate software is exploited by threat actors. It exemplifies why a proper security strategy is vital, and why maintaining industry awareness is essential. Companies and organizations must educate their staff on cybersecurity practices to prevent themselves from falling prey to phishing attacks. Email security programs are a valuable line of defense against phishing attempts, but they must be backed by smart and security-conscious users.