A new phishing technique has been observed that specifically targets high-value online accounts, making stolen credentials more usable and difficult to detect. Known as "precision-validating phishing," the technique is designed to engage only with verified, legitimate email addresses.
According to cybersecurity firm Cofense, the process significantly boosts the likelihood that the credentials obtained will be linked to real, valuable online profiles, increasing the attack's potential for profit or further exploitation.
"Automated security crawlers and sandbox environments also struggle to analyze these attacks because they cannot bypass the validation filter. This targeted approach reduces attacker risk and extends the lifespan of phishing campaigns," Cofense explained in a recent report.
Unlike traditional "spray-and-pray" phishing attacks, where malicious actors indiscriminately send out large volumes of emails in hopes of snaring unsuspecting victims, precision-validating phishing takes a much more targeted approach.
In this scheme, attackers verify email addresses through an API- or JavaScript-based validation service before proceeding with the phishing attack. If the email address matches a legitimate one in the attacker’s database, the victim is shown a fake login page designed to steal their login credentials. If the email is not in the database, the user is either shown an error message or redirected to a benign website to avoid detection by security systems.
By only validating high-value accounts, attackers can avoid wasting resources on invalid or low-value targets.
Cofense also revealed a two-pronged phishing campaign that employs a file deletion reminder to lure victims into providing their credentials or inadvertently downloading malware.
In this attack, an embedded URL leads to a legitimate file storage service, files.fm, where a notification warns the recipient that a PDF file will soon be deleted. However, when users click the link, they are directed to a bogus Microsoft login page designed to harvest their login information. Alternatively, if they download the file, it delivers an executable disguised as Microsoft OneDrive but actually contains the ScreenConnect remote desktop software from ConnectWise, which could allow attackers to remotely control the victim’s device.
Cofense described the attack as a "trap," explaining that users are faced with two options—either provide their credentials or inadvertently install malware—each leading to a successful exploit.
