Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Analysis of a Salesforce Phishing Emails

Published: 2020-09-20
Last Updated: 2020-09-20 19:30:54 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Over the past week, I have noticed several phishing emails linked to Salesforce asking to confirm the recipient’s email address.

Sample Header


The body of the email is quite simple. Reviewing the email View Message URL by hovering over the URL or changing email to text mode and comparing it against the correct Salesforce website URL, it clearly shows the client is getting phished.

Email Body

The next thing on the verification list for this email is the SSL certificate of the site; it was created yesterday (18 Sep 2020) and this email was received today (see sample header). The certificate is authenticated by ZeroSSL which is considered an alternative to Let's Encrypt where you can also create for free a certificate valid for 90 day.

ZeroSSL Certificate Information

The root domain associated with login.salesforce.com-secur-login-portal.qualitytags[.]com and www[.] qualitytags[.]com are both resolving to 162.241.159.57 but www[.] qualitytags[.]com is using a Let's Encrypt certificate setup on the 25 Aug 2020 good for 90 days.

Let's Encrypt Certificate Information

These few simple steps can be used to verify the legitimacy of a website by examining the certificate information, its URL and manually do a quick search to confirm the website URL contained in the email is the same as the true website. The From: email address from the header (info@saggioventures[.]com) doesn't match the domain name which would be another clue that something is suspicious. If unsure, it is a good idea to report it to the security team for analysis.

[1] https://zerossl.com
[2] https://letsencrypt.org
[3] https://isc.sans.edu/ipinfo.html?ip=162.241.159.57

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A Mix of Python & VBA in a Malicious Word Document
Sep 18th 2020
3 days ago by Xme (0 comments)

Suspicious Endpoint Containment with OSSEC
Sep 17th 2020
4 days ago by Xme (0 comments)

Do Vulnerabilities Ever Get Old? Recent "Mirai" Variant Scanning for 20 Year Old Amanda Version?
Sep 16th 2020
4 days ago by Johannes (0 comments)

Traffic Analysis Quiz: Oh No... Another Infection!
Sep 15th 2020
6 days ago by Brad (0 comments)

Not Everything About ".well-known" is Well Known
Sep 14th 2020
6 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

Why is the entire community so... I don't know the words...
created Sep 8th 2020
1 week ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
3 weeks ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
1 month ago by Anonymous (0 replies)

Most important information security training and certifications
created Aug 10th 2020
1 month ago by Anonymous (0 replies)

Report Phishing to Major Cloud Providers
created Jul 12th 2020
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
3 years ago by Johannes (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
1 year ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 years ago by Brad (0 comments)

Keep an Eye on Disposable Email Addresses
Mar 7th 2019
1 year ago by Xme (0 comments)

send lots of email to money@stifortunes.com