

Three different credential harvesting forms appeared, depending on the email provider selected. The user was prompted to sign in with their email credentials to view the document. The malicious link went to a phishing site that impersonated Adobe. By placing it on Adobe Spark, the phisher avoided detection because the only link that appeared in the phishing email was a reputable URL that most email security vendors view as safe. It turns out, episodeabstract com was a recently created domain controlled by the phisher.Īnd the malicious link appeared in several threat intelligence feeds. If the target was sophisticated enough, they might have hovered over the white “VIEW RFP DOCUMENT” button and seen the malicious link: Clicking the link would take the victim to a customized document on Adobe Spark like the one below.

Other INKY modules did smell the phish, however, and were triggered strongly enough to set off both Phishing Content and Phishing Site notifications and assign a red banner.Īs of this writing, INKY has detected 2,181 of these attacks. INKY authenticated the emails' SPF and DKIM records, detected no evidence of spoofing in the received headers, and did not fit them with a First-Time Sender banner notification. INKY was able to determine that the phishing attempts were sent from known-to-the-recipient but compromised accounts. This exploit made use of several known tactics, combined in a new way. In this report, INKY analyzes the Adobe Spark Request for a Proposal phishing scam. Even today, customized documents with malicious links are being hosted on Adobe Spark, and each instance remains active until Adobe receives an abuse report (like the one below) and takes it down. Unknowingly, Adobe had been facilitating this campaign for months. The goal of the ruse was to harvest recipients’ credentials. In this case, phishers were staging their forays from Adobe Spark, a cloud-based design application that allows users to create and share content. These supposed RFPs came from recipients’ legitimate contacts, but those accounts had been compromised by bad actors. Beginning in January 2021, several INKY users began receiving emails with fake “requests for proposal” (RFPs).
