Encrypted Phishing Email

We received an interesting phishing email attack this weekend – something I had never seen before.  One of the property managers at our building sent a number of us at NCIGF an encrypted email with the subject line: “New Message from your email contact  9801210”.  The body of the email contained an encrypted email message with a link to click to get the message – very standard stuff.  Looking at the link, it went to a microsoft.com domain that prompted you to enter your credentials.  The good news is that no one here did that, primarily thanks to the quarterly cyber training and monthly phishing tests.  Presumably, the phishing attack was either an attempt to harvest credentials (username and password) or – and this is the theory I find more plausible – the encrypted email, once decrypted, contained some kind of malware/virus payload.  We don’t know for sure because by the time we started doing analysis, the initial “open message” link redirected to “page not found”.

We reached out to the sender this morning and they confirmed their email had been compromised over the weekend.

I’ve never seen a legitimately encrypted email be used as a vector for phishing.  While we do communicate to the building manager via email from time to time, we’ve never had cause to send PII.  No one in the office was expecting documents or messages from the building that would necessitate encryption.  This is a clever attack because it hijacks the notion that encryption=safe.  That said, if you receive an encrypted email from someone out of the blue, it’s always a good policy to be skeptical.  Reach out to the sender by phone (not email!) and verify that they sent it.

I’ve included a screenshot of the email in question with names redacted to protect the guilty.