Microsoft Email Security bypasses Instagram credential phishing attacks

A credential phishing attack has been reported to have targeted 22,000 students at educational institutions nationwide through a campaign where hackers impersonated Instagram.

The advisory was highlighted by Armorblox security experts in a notice posted on November 17, 2022.

The notice reads: “The subject of this email encouraged victims to open the message… The purpose of this subject was to induce a sense of urgency in victims, by giving the impression that a action had to be taken to prevent future damage.”

Apparently the email appeared to be from Instagram support. The sender’s name appeared as Instagram and the email address matched the social media site’s real credentials.

“This targeted email attack was socially engineered, containing recipient-specific information – such as their Instagram user ID – in order to build a level of confidence that this email was a legitimate email communication from ‘Instagram.’

Once users clicked on a link in the email, they were redirected to a fake landing page. There was a “It wasn’t me” option which, when clicked, directed users to a second fake landing page specifically designed to obtain user credentials, including sensitive information.

The Armorblox advisory added, “The email attack used language as the primary attack vector and bypassed native Microsoft email security controls. It passed SPF and DMARC email authentication checks,” Armorblox explained.

Sami Elhini, biometrics specialist at Cerberus Sentinel, explained: “In this case, an email from instagramsupport.net should be considered suspicious because Instagram’s domain is instagram.com. When a service provides support, it may be advisable to contact support directly if you are unsure of what action to take.

He also added that verifying the origin of an email is a good start, but further investigation is needed regarding the domain of the email’s origin.

Erich Kron, Security Awareness Advocate at KnowBe4added that being comfortable with user interfaces and being able to navigate technology does not mean that individuals fully understand the risks.

“In our modern digital world, it’s very important to stay informed about how to spot these types of social engineering attacks.”

It comes after warnings of an increase in web phishing attacks.

Comments are closed.