On a regular business day, an employee received a suspicious email containing two ZIP folders with no password protection as attachments from a colleague (an internal user). The spear phishing email was cleverly camouflaged as a business email.

The sender (victim) of the email was unaware of having sent any such email. Upon further examination it was discovered that the sender’s Outlook Web Access (OWA) was compromised and a total of seven such emails were sent to employees within the organisation during the day.

The internal contacts were all present in the victim’s address book. DarkMatter also noticed the attackers attempted to hack the victim, sending the email with malicious attachments to the victim’s own email address. This activity suggests the credentials of the victim Outlook Web Access (OWA) were previously collected from earlier harvesting campaigns.