Cybersecurity researchers have uncovered a sophisticated phishing campaign targeting organizations in the United States. The attackers are leveraging a previously unseen method to deploy a malicious remote access trojan (RAT) known as NetSupport RAT.
This campaign, dubbed Operation PhantomBlu by Israeli cybersecurity firm Perception Point, centers around exploiting a vulnerability in Microsoft Office document templates.
Traditionally, NetSupport RAT deployment relies on different delivery mechanisms. Operation PhantomBlu, however, employs a novel technique: manipulating Object Linking and Embedding (OLE) templates within Microsoft Office documents. OLE allows embedding of various objects within documents, and attackers are exploiting this functionality to execute malicious code upon opening the document. This manipulation technique makes the attack more challenging for security software to detect.
The phishing emails arrive disguised as legitimate communications, often from the accounting department. The emails typically contain an attached Microsoft Word document, supposedly containing a "monthly salary report" or similar enticing subject matter.
Security experts advise caution when opening attachments, particularly those from unknown senders or emails with a suspicious tone. Scrutinizing email headers, such as the Return-Path and Message-ID fields, can also reveal inconsistencies that might indicate a phishing attempt. Even senders with seemingly familiar email addresses can be spoofed, so vigilance is crucial.
Furthermore, researchers discovered the attackers employed a legitimate email marketing platform, Brevo (formerly Sendinblue), to distribute their emails. This highlights the increasing sophistication of phishing tactics, where attackers go to great lengths to make their campaigns appear genuine.
Organizations are urged to educate employees on cybersecurity best practices, including email attachment awareness and phishing red flags. Additionally, implementing robust security solutions with advanced detection capabilities is paramount to mitigating such threats.
The full extent of Operation PhantomBlu and the number of targeted organizations remain under investigation. However, this discovery underscores the evolving landscape of cyber threats and the necessity for continuous vigilance and proactive security measures.