“This is a protected Recording!” – Spoofed Emails

Screenshot of fake Microsoft login page.

Incident: Our Email Was Spoofed

Today (02-June-2020) at 13:53 we detected that a 3rd party has spoofed our sales@newheights.co.uk email address as part of their phishing campaign. It is important to note that we were not hacked and none of our data has been compromised.

What Is Email Spoofing

Email spoofing is where someone pretends to be from your email address. They do not require access to your account to do this.

When an email is sent the senders name is attached and this can be forged with relative ease.

Unfortunately there is very little we can do to prevent this other than reporting the phishing sites to their respective web-host’s. This is because we have not been hacked or compromised in any way.

What To Look Out For

Emails coming from sales@newheights.co.uk with a subject related to a “protected Recording”, for example:

Newheights.co.uk: This is a protected Recording!

The emails themselves only contain a png images titled “footer.png”. This is in the email body to look as if it has come from Office 365 (see image below).

Phishing email body image.
Image: Email content

The image in the email body invites the recipient to open the attached “voice-message”. The attachment is a html file, which is not an audio format.

The file name changes depending on the recipient but the format remains the same and will look similar to this:

📞_Newheights.co.uk_Caller.html

It is important that you do not click on this file.

If you do it will most likely open in your web browser (e.g. Chrome, Firefox, Edge, etc…) and execute some JavaScript that will redirect you first to a the obfuscated URL contained in the JavaScript. This URL serves only to redirect you to another URL, which is host to a credential harvesting page.

The page will look similar to the Microsoft account login page but none of the hyperlinks work:

Screenshot of fake Microsoft login page.
Image: Fake Microsoft login page

Conclusion

We have reported the phishing domains to their respective web-host’s and they will hopefully be taken down soon.

We would like to reiterate that we have not been hacked and that this was only someone spoofing our email address.

Google has a really helpful article on safe browsing that we recommend, which goes into greater detail on some of the various kinds of phishing that exist.

If you have any questions please contact us.