The latest escapades are spoofed messages sent with subject lines stolen from the spoofee's accounts. In a campaign apparently beginning in mid-summer 2018, the messages all contain a green box which functions as a link and contains text. Figure 1 below shows an example of a typical box.
Figure 1. A green box present in spoofed emails.
The quality of the graphic of the green box is poor. The corners of the box are pixelated if the image is enlarged.
The text inside the green box has included these variants:
- Click here to view this message
- Click here to open full message
- Click here to open this message
The campaign is sophisticated with a significant amount of horsepower behind it.
What makes this campaign unique is that the messages include a subject line which has been stolen from the account of the person being spoofed, and the recipients are the same recipients as that original message. This makes the message appear familiar to the recipient since the spoofed message appears to be from someone they know and uses a subject which has already been in use between the apparent sender and the recipient.
The link from the green box goes to a domain which has been newly registered within the past few weeks. Examples include:
Table 2 below lists some of the universities which have reported cases of this spoofing since July 2018. Several universities report several waves of spam coming days or weeks apart.
Table 2. Schools, colleges and universities warning their users about the green-box spam and associated phishing.