Organizations in Australia Targeted by Deceptive Phishing Attacks Disguised as Atlassian
Enterprises in Australia and the broader APAC region have been cautioned about cyber criminals exploiting prominent platforms like Atlassian to carry out more deceptive phishing attacks on legal firms and other businesses. The objective of these attacks is to pilfer employee credentials and breach the cybersecurity defenses of companies.
According to Ryan Economos, the Chief Technology Officer for the APAC region at Mimecast, cyber attacks using Atlassian as a guise are uncommon but are increasing in sophistication. This is attributed to the utilization of phishing kits and Artificial Intelligence (AI), which facilitate cyber criminals in conducting their illicit operations more efficiently.
Deceptive phishing attacks targeting Australian organizations
The Global Threat Intelligence Report 2024 H1 released by Mimecast highlighted a new phishing strategy that employed a cover story related to compliance updates to dupe employees of law firms. This phishing campaign:
- Utilized widely recognized brands like Atlassian’s workspaces, along with other integrated workspace platforms such as Archbee and Nuclino, to deliver malicious emails to employees, giving them an appearance of authenticity.
- Masked as device compliance updates, instructing employees through email to update their devices to comply with company policies.
- Designed to redirect individuals who clicked the link to a counterfeit company portal for the purpose of harvesting credentials and sensitive details.
- Incorporated the phishing link within an email sent from addresses affiliated with Japanese Internet Service Providers (ISPs).
Mimecast’s report stated, “There is significant personalization in the emails, including details about a ‘device’ and multiple mentions of the targeted company’s domain to enhance credibility”
EXPLORE: Adoption of AI in Australia’s legal sector
“The sender’s name in the address always matches the target organization’s domain, intending to deceive end users into believing it originates from their internal department,” the report added.
The advancement of sophisticated phishing attacks
Economos pointed out that although the first wave of the campaign targeted Australian law firms, it has now spread to various industries beyond the legal domain. He emphasized various elements of the campaign that demonstrate an escalation in sophistication among threat actors.
Incorporation of Atlassian and other workspace platforms
Economos mentioned that the increasing use of Atlassian workspaces marked a novel trend in the market.
“While Mimecast continues to observe threat actors employing services like OneDrive and Google Docs for hosting files or links in their campaigns, the exploitation of workspaces such as Atlassian had not been prominently abused before,” he remarked.
As part of the scheme, an email seemingly originating from Atlassian’s Confluence product was circulated. Mimecast observed a “noticeable surge in the utilization of Atlassian” to avoid detection recently.
“The misuse of legitimate services poses an ongoing and evolving challenge,” Economos mentioned. “Attackers will persist in leveraging reputable sources to launch and host campaigns in an effort to escape detection.”
EXPLORE: Current status of data breaches in Australia for 2024
Operationalization of tracker data intelligence
The campaign leveraged postmark URLs to divert users to the unified workspace solutions. Postmark URLs enable attackers to collect information like location, browser specifics, and the clicked email section, enabling them to deploy this data to enhance the persuasiveness of the phishing ploy.
Deploying various URL disguise methods
To obscure the actual destination of the URL and confound users, the phishing campaign employed “multiple obfuscation techniques,” stated Mimecast. These encompassed multiple redirects in the URL, encoded characters, and the insertion of tracking parameters.
Engagement with unsuspecting Japanese ISPs
Although the utilization of Japanese ISPs is not exclusive to this phishing operation, Economos acknowledged that they were once again harnessed, as seen in numerous prior attacks.
“It highlights the extent to which threat actors will go to successfully orchestrate assaults on organizations,” he remarked.
Phishing attacks: Easing the process and enhancing credibility
Economos underscored that phishing continues to be a prevalent cyber threat among organizations.
Generative AI and machine learning, in addition to aiding defenders in halting attacks, are poised to elevate the sophistication and accuracy in targeting and content creation for phishing campaigns. This will necessitate the ability of defenders to identify and promptly counter novel and emerging attack methodologies.
EXPLORE: Employee priorities over cybersecurity in APAC
“The most notable evolution has been the speed and precision of phishing threats, facilitated by the use of phishing kits, automation, and AI-driven technologies,” highlighted Economos. “These tools empower even less experienced attackers to execute large-scale campaigns and swiftly craft more plausible phishing emails to evade traditional security mechanisms.”
Economos also discussed the rise of pretexting wherein cyber criminals conduct detailed research and impersonate a character to construct a convincing narrative or “pretext” to deceive the phishing victim, as well as the escalating prevalence of Business Email Compromise as significant factors shaping the evolution of the phishing threat landscape.
“As our interaction platforms diversify, threat actors are broadening the attack vectors beyond emails, targeting social media platforms, collaborative tools like Microsoft Teams, Slack, and OneDrive, all the way to vishing and smishing attacks through calls or messages to deceive unsuspecting victims,” he elaborated.
About Author
