Green Envy is a threat actor that has been tracked since early February 2022 after a pattern was identified in an ongoing campaign of phishing and malicious emails that generally seek user credentials for organizations that have Microsoft 365 tenants. Initially, this was considered a threat actor specific to the Cannabis industry, but threat research soon indicated this was a broader actor.
What’s Specific About This Threat Actor?
The emails from this threat actor often contain language custom to a target, including the target’s domains and full usernames, coupled with an urgency statement, to compel a user to act. Topics of the emails are usually Microsoft-centric and relate to needing to authenticate, password expiration, password confirmation, release an email, or release a file.
The links in the email often leverage an exploited “unauthenticated redirect” in a newsletter service or go to a hijacked website that then redirects the user up to 3 times until it lands on the actual phishing site that tries to mimic a Microsoft 365 login page for the specific tenant targeted to get the users credentials. The majority of the link will be Base64 Encoded in an attempt to bypass most spam filters. Here are some URL’s taken from sample emails:
A small subset of the emails has HTML attachments that contain code to capture and send credentials to a third-party server.
The actions this threat actor would take upon gaining access are not yet known or observed. Recent experiences suggest that organizations whose credentials were compromised are later targeted, or their customers are, with payment redirection schemes that contain emails from the compromised organization. We cannot confirm whether the payment redirection is being performed by the same group or not.
How Can I Protect My Organization?
First, promote a culture where your employees report suspicious emails and are cautious about anything that asks them to take an action where their credentials are involved. A part of this requires ensuring that you regularly communicate changes to staff, and they are aware of typical emails you may send around their authentication to ensure they avoid fraudulent ones and reduce the likelihood of false positives when changes do occur.
Next, ensure your own email domain is properly taken care of like having SPF and DKIM records, and having someone regularly monitoring email for suspicious activity. Block any suspicious domains or typosquat domains identified to avoid them from coming inbound. Regularly check on what you have authorized to “send on your behalf” to reduce the surface by which malicious emails could be unintentionally trusted by your email filtering solution.
Third, check the latest copy of the Indicators of Interest (IOIs) that you can add to your blocklists. As always, review the domains indicated to ensure you don’t block anything legitimate to your organization.
Finally, if you are a member of the Cannabis industry, consider joining the Cannabis ISAO which can share the specific updated Indicators of Interest (IOIs) of this threat actor to help bolster your block lists. As there is no way to fully block this threat actor, user education remains the most powerful tool in your toolkit to protect yourself against the threat actor Green Envy.
Featured photo from Pexels by Joshua.
Comments