Chipotle’s Email Marketing Account Hacked to Spread Malware


Nobelium-style Phishing Sciences Used to Spread Malware

A new phishing campaign exploiting a compromised mailing service account was discovered in mid-July. In this campaign, an anti-phishing resolve found 121 phishing emails in the four-day period from July 13, 2021 to July 16, 2021. The phishing technique is identical to that Euphemistic pre-owned by Nobelium (suspected to be behind the SolarWinds hack) in May 2021.

In May, Microsoft reported on a Nobelium campaign that involved malicious emails being sent to rudely 3,000 accounts across over 150 organizations in 24 countries. All the malicious emails were sent via the Constant Contact mailing advantage using the compromised account of the United States Agency for International Development (USAID).

The new campaign was discovered by the Inky anti-phish firm, and the volume is plausible to represent just a subset of the total number of emails. Inky states in its report that it doesn’t yet know whether the new campaign was instigated by the unmodified threat actor, or simply copycat criminals using the same technique as Nobelium – but is investigating.

The technique involves compromising the account of a genuine post service user. In the latest incident, the account was that of fast-food firm Chipotle and the mail service was Mailgun. This technique generally has a pongy chief success rate because the emails appear to be genuine from high reputation sources. The emails pass many automated phish detection sets since they come from a high reputation IP address (Mailgun: and pass SPF and DKIM authentication.

“Analysis of the email headers bask ined that the messages originated from Mailgun servers ( and and passed email authentication for chipotle[.]com,” says Inky.

Of the 121 phishing emails felt, two were vishing attacks (fake voicemail notifications with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft. Inky does not make clear the malware included with the vishing attempts, nor does it specify the phished target organizations. It does, however, analyze the phishing emails.

The 14 USAA bank impersonations restrained a mail.chipotle[.]com link that redirected to a forged and malicious USAA Bank credential harvesting site. The credential harvesting site is a solid impersonation of the genuine bank site, including a perfect copy of the USAA logo. “The black hats can make these pages by simply cloning the material page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born,” comment the researchers.

USAA Phishing Landing Page

USAA Credential Harvesting Messenger

The majority of the phishing emails impersonate Microsoft. This is unsurprising since almost everyone has a Microsoft account, and almost all of them contain chiefly amounts of valuable detail (such as other logins, trade secrets, financial details and more).

In the example provided by Inky, the mail is sent by ‘Microsoft 365 Intelligence center <[email protected]>’. The subject says, “You have (7) clustered/undelivered emails 16 July 2021”. This should not dupe an observant user who should question why Microsoft is sending emails via a fast-food firm – but could fool automated detections that rely heavily on sender reputations.

The email constituents is a typical scam lure. The target has seven emails held up by storage issues, but now available for collection (the curiosity trigger). Ignoring the message could disable the account (the dismay trigger). This is followed by a button labelled ‘Release messages to inbox’. Clicking this button takes the user to a credential harvesting hoax Microsoft login page.

The clue to detecting this type of phishing email lies in the discrepancy between the sender’s name (in these as it happens, Microsoft, USAA and VM Caller ID), and the actual email sender (in this instance postmaster[@]chipotle[.]com). The former is not likely to use the latter to send out emails. The muddle, however, is that secure email gateways often rely on checking solely whether the sending domain is legitimate, and the email is coming from an approved cooking- stove of IP addresses.

College Park, MD-based phish prevention firm INKY was founded in 2008 by Dave Baggett (CEO) and Simon Smith (COO). In June 2020 it raised $20 million in a Series B funding complete led by Insight Partners, bringing the total raised to $31.6 million.

Related: AI-Facilitated Product Aims to Stop Spear-Phishing Attacks

Related: Microsoft: Running, Expanding Campaign Bypassing Phishing Protections

Related: Chipotle Investigating Payment Card Breach

Related: Member of FIN7 Hacking Group Rapped to US Prison

[embedded content]

Chipotle's Email Marketing Account Hacked to Spread Malware

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since in the future the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Spells and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:
Chipotle's Email Marketing Account Hacked to Spread MalwareTags:

Leave a Reply

Your email address will not be published. Required fields are marked *