For the purposes of expediency, I am simply going to paste in the article from knowbe4.com for you. You can also read it at the URL I paste in at the bottom of the post. You can read the full article here.
“You need to know about a new phishing attack vector reported by our friends at Barkly. It utilizes a new technique that’s just plain nasty.
This week, users at one of their customers began receiving emails from known contacts they had at another organization. In the screenshot below you can see that at least one of the emails appeared to be a reply to an existing email thread, where users at the two organizations had been emailing back and forth.
The new message was noticeably short — “Morning, please see attached and confirm” (you probably see where this is going) — but in the context of the email chain it was very convincing. The email appears to come from a person at a company the receiver has been emailing with, and this message appears to be a reply to a legit email chain. Yikes.
The aim was to have the user open the Word attachment, and follow instructions to enable macros.
Technical background of the attack
The user on the other end had been infected with a new variant of Ursnif, one of the most active and widespread banking Trojans in the world.
Investigation showed that the Word doc the user downloaded contained a macro that, when activated, launched PowerShell script designed to download the Ursnif payload.
Ursnif is a powerful trojan with a lot of features like stealing victim credentials in a variety of ways via man-in-the-browser attacks, keylogging, screenshot capture, etc.
It looks like the evil masterminds behind Ursnif are now taking it one step further and use the compromised email accounts of its victims to spread the infection like a worm.
It’s turning infected workstations into spam factories
What makes this social engineering attack so tricky is that the email pictured above wasn’t just coming from an organization the recipient knew and had been emailing with, it came as a reply to an existing email chain. That is a hard one for a user not to fall for, they really need to be on their toes to catch this one.
Ursnif isn’t the only trojan we’ve seen hijacking victim email accounts. In July, we saw the Emotet trojan doing something similar.
Now, compromised accounts have been a thing since email has been around, so getting a infected email from a trusted source is nothing new, but if this is becoming a larger trend it is even more important to mitigate before your own network starts spewing out malicious attacks and your mail server gets on blacklists. ”