As the digital landscape continues to expand, so does the creativity of cybercriminals seeking to exploit unsuspecting individuals and organizations. At Coro Cybersecurity, we believe in proactive defense, and that starts with knowledge. In this blog post, we’re arming you with insights into the latest phishing attack trends that we’ve identified. By understanding these threats, you can bolster your defenses and ensure that you, your team, and your organization stay one step ahead of those looking to compromise your digital security. 

Phishing attacks have evolved far beyond the days of blatant Nigerian prince scams. Today’s cybercriminals employ sophisticated tactics, leveraging social engineering, convincing disguises, and manipulation to deceive even the most cautious users. Our team of cybersecurity experts at Coro has been diligently monitoring and analyzing these trends to provide you with a comprehensive overview of the threats that currently loom large. From spear-phishing targeting specific individuals to deceptive emails imitating trusted brands, our insights will shed light on the strategies attackers are using to bypass traditional security measures. Join us as we delve into the specifics of recent phishing attacks and empower you with the knowledge to recognize and thwart these threats effectively. 

Remediation: Delete this email and block the sender’s email address if you see it pop up in your console. From the Actions menu first select the “Delete this email” option and then select the “Add sender to blocklist” option. 

Global Phishing

 
Global Phishing #1 

• Sender: [email protected] 
• Subject:  Pay Application #3 [ FW: Re: Payment receipt -#AP4194] <Date and Time> 
• Targeted Industry: Construction and Automobile 
• Analysis: 
• The sender uses the display name: ACH.Department@<Company Name>.com 

• The sender attempts to impersonate a company email address to appear more legitimate.  
• The sender attaches an HTM file named: Credit-ACH39145110885380-copy(1).html – 4.6 KB 
• The file can redirect the user to a malicious webpage.  
• The domain, amreenit.com appears to be hosting an IT Service and Consulting webpage. 
• We are unaware of any compromise associated with this domain.  

Global Phishing #2 

• Sender: [email protected] 
• Subject: Automated: Incoming Wire Transfer 

• Targeted Industry: Technology, Education, Healthcare, Agriculture, and Automobile 
• Analysis: 
• The sender uses the display name: [email protected] 
• The sender attempts to impersonate a financial institution (Wells Fargo Bank). 
• The sender attaches an HTM file named: CustomerRef#3389XXX.htm – 38.7 KB 

• The file can redirect the user to a malicious webpage.  
• The domain, cjs.ne.jp appears to be hosting a Japanese apartment listing webpage.  
• We are unaware of any compromise associated with this domain.  

Global Phishing #3 

• Sender: [email protected] 
• Subject: Automated: Incoming Wire Transfer 
• Targeted Industry: Education, Automobile, Energy and Agriculture 
• Analysis: 

• The sender uses the display name: [email protected] 
• The sender attempts to impersonate a financial institution (Wells Fargo Bank) 
• The sender attaches an HTM file named: CustomerRef#3389XXX.htm – 38.7 KB 
• The file can redirect the user to a malicious webpage.  
• The domain, cjs.ne.jp appears to be hosting a Japanese apartment listing webpage.  

• We are unaware of any compromise associated with this domain.  

Global Phishing #4 

• Sender: [email protected] 

• Subject: Hi, you have 1 VM on <Insert Date>. Refer below to listen. 
• Targeted Industry: Education, Healthcare, Automobile, and Energy 
• Analysis: 
• The sender uses the display name: <Company Domain Name> Fax-Call Notification /O=EXT#EXCHANGE=<Recipient’s Email Address>=RECIPIENTS/= 
• It appears that the sender was unable to get the display name formatting correct.  

• The sender attaches an HTM file named: +1816652902-0801-94135.htm – 40.6 KB 
• The file can redirect the user to a malicious webpage.  
• The file name appears to be a phone number. However, after researching we’ve found that this is not a legitimate phone number.  
• There is no content within the email.  
• The domain, cjs.ne.jp appears to be hosting a Japanese apartment listing webpage.  

• We are unaware of any compromise associated with this domain.  

Global Phishing #5 

• Sender: [email protected] 

• Subject: New V-Message from (816) 652-9*** on <Insert Date and Time>. Refer below to listen 
• Targeted Industry: Healthcare, Education, and Automobile 
• Analysis: 
• The sender uses the display name: <Company Domain Name> Phone Call Notification /O=EXT#EXCHANGE=<Recipient’s Email Address>=RECIPIENTS/= 
• It appears that the sender was unable to get the display name formatting correct.  

• The sender attaches an HTM file named: +1816652902-0801-94135.htm – 40.6 KB 
• The file can redirect the user to a malicious webpage.  
• The file name appears to be a phone number. However, after researching we’ve found that this is not a legitimate phone number.  
• There is no content within the email.  
• The domain, cjs.ne.jp appears to be hosting a Japanese apartment listing webpage.  

• We are unaware of any compromise associated with this domain.  

Global Phishing #6 

• Sender: [email protected] 

• Subject: VM for <Recipient’s Username> @ <Company Name> from a caller at 15829901114 left you a message 19 second(s) long 
• Targeted Industry: Automobile  
• Analysis: 
• The sender uses the display name: [email protected] 
• The sender attempts to obfuscate their email address with the IRS’s 1-800 number to appear more legitimate.  

• The sender attaches an HTM file named: IRS-SECURED-DOC.HTM – 782 Bytes 
• The file can redirect the user to a malicious webpage.  
• Email content appear to be consistent with all the instances that we have seen. Email content states:  
• Notice from IRS.GOV 
• Message received on <Date and Time> 

• Message Transcript “Your IRS Letter” 
• The domain, beyoung.in appears to be hosting an apparel website.  
• We are unaware of any compromise associated with this domain.  

Global Phishing #7 

• Sender: [email protected] 
• Subject: VM for <Recipient’s Username> @ <Company Name> from a caller at 15829901114 left you a message 19 second(s) long 
• Targeted Industry: Automobile, Technology, Construction, Education, and Healthcare 
• Analysis: 

• The sender uses the display name: [email protected] 
• The sender attempts to obfuscate their email address with the IRS’s 1-800 number to appear more legitimate.  
• The sender attaches an HTM file named: IRS-SECURED-DOC.HTM – 782 Bytes 
• The file can redirect the user to a malicious webpage.  
• Email content appear to be consistent with all the instances that we have seen. Email content states:  

• Notice from IRS.GOV 
• Message received on <Date and Time> 
• Message Transcript “Your IRS Letter” 
• The domain, nts-web.biz appears to be hosting a Japanese webpage for chemical compounds. 
• We are unaware of any compromise associated with this domain.  

Global Phishing #8 

• Sender: [email protected] 
• Subject: Scanned: 2 pages – <Insert Company Name> Reference Number#456782 On <Insert Date and Time> 

• Targeted Industry: Charities, Education, Construction, and Religious  
• Analysis: 
• The sender uses the display name: Scanner@<Company Domain Name>.com 
• The sender attempts to impersonate a company email address to appear more legitimate. 
• The sender attempts to impersonate a scan / fax notification.  

• The sender attaches an HTM file named: SecuredScanner.htm – 13.7 KB 
• The file can redirect the user to a malicious webpage.  
• The domain, brisklearning.com appears to be hosting an Education based webpage that focuses on the creation of exam papers and other learning activities. 
• We are unaware of any compromise associated with this domain.  

Global Phishing #9 

• Sender: [email protected] 
• Subject: Notice: <Recipient’s Email Address> On <Insert Day of the Week, Date, and Time> 
• Targeted Industry: Education, Construction, Automobile, Religious, and Technology 

• Analysis: 
• The sender uses the display name: IT@<Company Domain Name>.com 
• The sender attempts to impersonate a company email address to appear more legitimate.  
• The sender uses an image to make the email content appear as if the notification came from DocuSign.  
• Fake DocuSign notification; malicious embedded links in email content.  

• The sender’s domain, orgafarma.com.br appears to be hosted in Brazil and redirects to a different URL named: grupoorgafarma.com.br/portal/. 
• The redirected webpage appears to be hosting an online Pharmacy.  
• We are unaware if the domain being used is associated with the company the domain redirects to.  
• We are unaware of any compromise associated with these webpages or domains.  

Global Phishing #10 

• Sender: tamaki3<Recipient’s Username>@toua-u.ac.jp 
• Subject: This is confirmation for the ACH payment sent today Processed on <Insert Date and Time> 
• Targeted Industry: Construction and Automobile 

• Analysis:  
• The sender uses the display name: <Recipient’s Email Address> 
• The sender attempts to spoof and/or obfuscate their email address to appear more legitimate and to evade detection.  
• The sender’s email address changes based on the recipient’s username.  
• The sender attaches an HTM file named: Auto ACH Confirmation-6723604.htm – 2.7 KB 

• The file can redirect the user to a malicious webpage.  
• The domain, toua-u.ac.jp appears to be hosting a Japanese university named, Dong-A University.  
• We are unaware of any compromise associated with these webpages or domains.  

Global Phishing #11 

• Sender: [email protected] 
• Subject: Reminder: Action needed for <Company Name> 
• Targeted Industry: Healthcare and Automobile  
• Analysis: 

• The sender uses the display name: Password Notification@<Company Domain Name>.com 
• The sender attempts to obfuscate their email address to make the email appear as if it’s coming from inside the company.  
• The sender uses urgency by stating that the recipient’s password is expiring today.  
• Fake Microsoft 365 notification asking the user to verify their current email password with a button that says, “Keep My Password”.  
• Malicious embedded links in email content. 

• The domain, righttalents.net appears to be an IT Recruiting company.  
• We are unaware of any compromise associated with this domain.  

Global Phishing #12 

• Sender: [email protected] 
• Subject: Action Required: Payment Notification on <Insert Date>. View Attached 
• Targeted Industry: Healthcare 
• Analysis: 
• The sender uses the display name: Accounts Payables Invoice entry AR@<Company Domain Name>.com 

• The sender attempts to impersonate a company email address to appear as if the email was sent from within the company.  
• The sender attaches an HTM file named: Statement.htm – 2.3 KB 
• Email content shows a disclaimer from Opal, which is a company based out of Australia and New Zealand.  
• The domain, integrityenergysolutions.co.uk appears to be hosting a webpage based around electrical contracting and installation.  
• We are unaware of any compromise associated with this domain.  

Global Phishing #13 

• Sender: [email protected] 
• Subject: File shared with you: “Account Statments” 

• Targeted Industry: Technology, Healthcare, and Automobile  
• Analysis: 
• The sender uses the display name: Donotreply@<Company Name>SharedFileNotificationSupportfiledelivery.pdf 
• The sender attaches an HTM file named: DOC947-1042396.html – 4.2 KB 
• The sender attaches an image within the email content to make the email appear more legitimate.  

• The image appears to state that the email is from Microsoft Teams TimeSheets. 
• The image content asks the user to open the email attachment to review their timesheet to ensure its accuracy.   
• The sender is baiting the recipient to open the email attachment.  
• The domain, greatcentralinc.com appears to be hosting a Southern Californian Transportation webpage.  
• We are unaware of any compromise associated with this domain.  

Global Phishing #14 

• Sender: [email protected] 
• Subject: Payment Scheduled Notification 

• Targeted Industry: Automobile 
• Analysis: 
• The sender uses the display name: [email protected] 
• The sender is attempting to obfuscate their email address to appear more legitimate.  
• The sender attaches an HTM file named:  Scanner0000276 .htm – 12.8 KB 

• The file can redirect the user to a malicious webpage.  
• The domain, revivecolorado.net appears to be hosting a webpage associated with Ketamine therapy.  
• We are unaware of any compromise associated with this domain.  

Global Phishing #15 

• Sender: [email protected] 
• Targeted Industry: Automotive, Technology, Healthcare, Education 
• Subject: Accounts Payable Report as at <Day of the Week, and Date> 
• Analysis: 

• The sender uses the name of a C-Level executive within the company to appear more legitimate.  
• The sender asks for an Aging Report that includes customer contact information. 
• We’ve identified these emails as impersonation emails. 
• The sender’s domain is hosted in Nicaragua appears to be hosting a wholesale retail market that focuses on imports, exports, and real estate investments. 
• We are unaware if this domain has experienced a compromise.  

Global Phishing #16 

• Sender: [email protected] 
• Subject: You have new held messages 

• Targeted Industry: Religious, Automotive, Charities, Education, Agriculture, Technology 
• Analysis: 
• The sender uses the display name: Notification@<Company Domain>.<extension> 
• The sender attempts to impersonate a Microsoft notification. 
• Email content is asking the recipient to review X number of incoming messages. 

• There is a blue button within the email content that asks the sender to review the messages.  
• Malicious embedded links in email content.  
• The domain, utsa.edu hosts the University of Texas at San Antonio 
• We notified this institution regarding the potentially compromised email. 
• We did not receive confirmation on the compromise and are unable to comment any further.  

Global Phishing #17 

• Sender: [email protected] 
• Subject: Payment Scheduled Notification 

• Targeted Industry: Automotive  
• Analysis: 
• The sender uses the display name: [email protected] 
• The sender attaches an HTM file named: #20374008 .htm 
• The file has the ability to redirect the end user to a malicious webpage.  

• The domain, crandallonstjohn.com hosts an Island Vacation website that targets the Virgin Islands.  
• We are unaware if this domain has experienced a compromise.  

Global Phishing #18 

• Sender: [email protected] 
• Subject: <Username of Recipient>, Your organization (<Company Name>) has shared a secure document with you “<Company Name>_Updated & Revised Contracts” – Download enclosed to review & sign 
• Targeted Industry: Education, Technology, Religious, Automotive 
• Analysis: 
• The sender uses the display name: notifications@<Company Domain>.com 

• The sender attempts to impersonate a company email address to appear more legitimate.  
• The sender attaches an HTM file named: Updated & Revised Contracts_Weds Aug 9.htm – 2.7 KB 
• The file has the ability to redirect the end user to a malicious webpage.  
• The domain, apside-groupe.com redirects to apside.com. 
• The domain, apside.com appears to be hosting a French IT Company.  

• We are unaware if apside-groupe.com is affiliated with apside.com. 
• We are unaware if this domain has experienced a compromise.  

Global Phishing #19 

• Sender: [email protected] 
• Subject: vm197219721972 For <Recipient’s Email Address> On, <Date and Time> 
• Targeted Industry: Automotive 
• Analysis: 
• The sender uses the display name: <Company Name>@<Company Domain>.com 

• The sender attempts to impersonate a company email address to appear more legitimate.  
• The sender attaches an HTM file named: Play_vm663666366636_wav.htm – 2.7 KB 
• The sender attempts to obfuscate the file as a WAV file.  
• The file has the ability to redirect the end user to a malicious webpage.  
• The domain, zestkurashiki.com is hosting a Japanese real estate agency that focuses on the open house market.  

• We are unaware if this domain has experienced a compromise.  

Global Phishing #20 

• Sender: [email protected] 

• Subject: **Final Statement Invoices** PAID Invoices S17792 & W22139 – Remittance Advise K2587 ZX250 & K2572 ZX135 
• Targeted Industry: Construction, Automotive, Education  
• Analysis: 
• The sender uses the display name: Remits@<Company Domain>.com 
• The sender attempts to impersonate a company email address to appear more legitimate.  

• The sender attaches an HTM file named: ACH_Remittance.htm – 7.4 KB 
• The file has the ability to redirect the end user to a malicious webpage. 
• The domain, mygym.jp appears to host a Japanese children’s fitness center.  
• We are unaware if this domain has experienced a compromise.  

Global Phishing Events

Global Phishing Event #21 

• Sender: [email protected] 
• Subject: FW: EFT/ACH Payment Remittance Advice For <company name> (PAID IN FULL). 
• Analysis: 

• The sender uses the display name: Accounts Payable – [email protected]_remittance.officemailbox 
• The sender attaches an HTM file named: ATT91038592u5823342.htm – 451.6 KB 
• The file will redirect the recipient to a malicious webpage.  
• It appears that the sender attempting to insert an image – however the image link is consistently broken within the email contents.  
• The domain, nassembly.org appears to be hosting a National Human Services Assembly webpage. 

• We are unaware if this domain has been compromised.  

Global Phishing Event #22 

• Sender: [email protected] 

• Subject: 📄 Your Shared Document is Completed 
• Analysis: 
• The sender uses the display name: message-center@<Company Name>.com 
• The sender attempts to obfuscate their email address to appear more legitimate. 
• The sender attempts to impersonate a company email address to make it appear as if the email came from within the company.  

• Fake DocuSign notification; malicious embedded links in email content 
• The domain, si-security.com appears to be hosting a personal security consulting webpage.  
• We are unaware if this domain has been compromised.  

Global Phishing Event #23 

• Sender: [email protected] 
• Subject: [IMPORTANT] Past Due Invoice Payment Notification 
• Analysis: 
• The sender uses the display name: [email protected] 

• The sender attempts to appear as a service requiring payment 
• The sender attaches an HTM file named: AP Receipt 07.20.23.htm – 1.7 KB 
• The file will redirect the recipient to a malicious webpage.  
• The domain, asptherapy.com is not public facing and is not hosting any applicable content.  
• We are unaware if this domain has been compromised or is being used specifically for illicit use.  

Global Phishing Event #24 

• Sender: [email protected] 
• Subject: <User Name>, Your signature is required on the attached Document | <Company Name> Inbound – Download enclosed to Review & Sign 

• Analysis: 
• The sender uses the display name: notification@<Company Name>.com 
• The sender attempts to obfuscate their email address to appear more legitimate.  
• The sender attempts to impersonate a company email address to make it appear as if the email came from within the company 
• The sender attaches an HTM file named: Docusign DOC0037.htm – 2.1 KB 

• The file appears to be a fake DocuSign notification.  
• The domain, atlanticone.eu is not public facing.  
• We are unaware if this domain has been compromised.  

Global Phishing Event #25 

• Sender: [email protected] 
• Subject: A New Audio is Attached for <Recipient’s Email Address> on <Insert Date and Time> 
• Analysis: 
• The sender uses the display name: <Company Name> Missed Call Notification/O=EXT#EXCHANGE=<Recipient’s Email Address>=RECIPIENTS/= 

• The sender attaches an HTM file named: Call.Summary ATTFILE3434.00.htm – 539 Bytes 
• The file will redirect the recipient to a malicious webpage. 
• The sender appears to be attempting to impersonate a missed call notification.  
• The domain, geyce.es appears to be hosting a communication software tool.  
• We are unaware if the domain has been compromised.  

Global Phishing Event #26 

• Sender: [email protected] 
• Subject: Document to: <Recipient’s Email Address> | Payroll Agreement.pdf: Please review & sign 

• Analysis: 
• The sender is using the display name: Human Resource HR – hr@<Company Name>.com 
• The sender attempts to impersonate the HR Department to appear more legitimate. 
• The sender attempts to make the email appear as if it came from within the company.  
• The sender attaches an HTM file named: Payroll Agreement.htm – 2.2 KB 

• The file will redirect the recipient to a malicious webpage.  
• Email content shows a fake DocuSign notification; the sender attempts to make the email appear more legitimate by using DocuSign image.  
• Malicious embedded links in email content.  
• The domain, aia-aomori.or.jp appears to be hosting a Japanese industrial association webpage.  
• We are unaware if the domain has been compromised.  

Global Phishing Event #27 

• Sender: [email protected] 
• Subject: United Wholesale Mortgage | 1223233994 | Clear to Close and Closing instructions [SECURE. <Insert Date and Time> 

• Analysis: 
• The sender uses the display name: UWM Processor Assist [email protected] 
• The sender attempts to appear as a service requiring payment.  
• The sender is attempting to impersonate a United Wholesale Mortgage notification  
• The sender uses an image to make the email content appear more legitimate.  

• Malicious embedded links in email content, that will redirect the user to a malicious O365 portal.  
• The sender appears to be attempting to collect the recipient’s email address and password.  
• The domain, centrixvascular.com appears to be hosting a medical webpage for vascular health.  
• We are unaware if the domain has been compromised.  

Global Phishing Event #28 

• Sender: [email protected] 
• Subject: Statement Electronic-Payment Receipt 
• Analysis: 

• The sender uses the display name: AccountPayable Departments via DistributionInvoices [email protected] 
• The sender attempts to impersonate a service that requires payment.  
• The sender attaches an HTML named: Remittance Statement.html – 38.3 KB 
• The sender is attempting to collect payment on the fake invoice.  
• The sender does to utilize any additional tactics.  

• The domain, hirstresources.com appears to be hosting a Nigerian economy, facility, and project management webpage.  
• We are unaware if the domain has been compromised.  

Special Notes:  

Global Phishing Events #2, #3, #4, and #5 appear to be using the same domain to send these malicious phishing emails. Due to the persistent nature of these four senders, we suggest adding the sender’s domain to the block list as we are unaware of any additional accounts being compromised. 

Global Phishing Events #6 and #7 appear to be using the same template and same attachment name for the phishing emails we identified. These two global phishing events are very similar, but the sender appears to be using two different email addresses to evade security measures.   

Global Phishing Event #10 targets multiple users within the company and changes the second level domain based on the recipient’s username. Due to the persistent nature and the ever changing second level domain field, we suggest adding the sender’s domain to the block list.