Login

u/ZeroBEC

Voicemail quishing campaign with RingCentral/Spectrum branding harvesting M365 creds via AiTM
▲ 6 r/EmailSecurity+1 crossposts

Voicemail quishing campaign with RingCentral/Spectrum branding harvesting M365 creds via AiTM

Wrote up an active case from this week, sharing in case it helps anyone seeing similar voicemail lures.

One of our customers got hit with a quishing email branded as Spectrum Business + RingCentral + Google Voice. The bait is the usual missed-call story, "you have a voicemail about an overdue payment." Nothing remarkable so far.

The clever part is the chain. The malicious link isn't in the email body. It's in a QR code, inside a .docx attachment, inside the email. Three layers deep before anything fires.

Whole thing is designed to push the click off the corporate laptop and onto the user's phone, which is the entire point of quishing as a technique:

Once the user scans, they get a fake "Tap the box to confirm" captcha (kit-style, blocks perimeter sandboxes from following through), then a near-perfect Microsoft login page pre-filled with the victim's email pulled from the URL path. Behind it is an AiTM proxy grabbing the password and the session cookie in real time.

Phishing Email

Attached Docx

Auth Impersonation

Full writeup with the IOCs, the captcha + AiTM screenshots, the docx internals, and some detection ideas is up on the company blog. Not posting the link inline to keep the post technical-first. I'll drop it as a comment for anyone who wants it.

Disclosure: I work at ZeroBEC

reddit.com
u/ZeroBEC — 11 hours ago
▲ 1 r/phishing

Active ScreenConnect phishing campaign abusing a legit Czech ESP (SparkPost / jobote.com) - heads up to fellow IR folks

Sharing a quick heads-up from an active IR case in case it helps anyone else triaging similar emails this week.

A customer received a phishing email that looked like a generic Adobe / DocSend "New Secured Document" lure. Standard stuff on the surface, but the interesting parts:

  • Sender: noreply-<random string>@jobote[.]com ("Adobe-Docsend" as display name)
  • "View Document" button links to mailtracking.jobote[.]com/f/a/{token} - which is Jobote's own legitimate tracking/redirect subdomain for their referral product, being abused as a clean-reputation redirector
  • Final payload is a ConnectWise ScreenConnect installer - attacker uses it for hands-on-keyboard access after install
  • Reply-To is literally noreply at yourdomain[.]com - an unfilled template placeholder, which is a strong pivot IOC for hunting other emails from the same kit/operator

Phishing Email

ScreenConnect Download Redirection

​Not making any claim about how the jobote[.]com SparkPost tenant got abused (compromised account, stolen API key, abused customer subaccount, etc.) - that's for SparkPost to investigate. But the abuse pattern matches what we've been seeing more broadly: attackers riding low-reputation but legitimate ESP/tracking infrastructure to bypass URL reputation filtering before dropping a remote-access tool.

Pivots worth hunting on:

  • Reply-To containing yourdomain[.]com (placeholder strings in Reply-To = high signal)
  • X-MSFBL header containing customer_id=107475
  • Any mailtracking.jobote[.]com URLs in inbound mail
  • Apple Mail headers on ESP-injected mail (deliberate misdirection or sloppy operator)
  • Reported to SparkPost abuse and notifying Jobote directly so they can rotate keys / audit.
  • Firewall logs for access to cherylbirch[.]com

Disclosure: I work at ZeroBEC. Happy to drop the full writeup in a comment if anyone wants the headers / IOCs to feed into their own tooling.

reddit.com
u/ZeroBEC — 1 day ago
▲ 4 r/EmailSecurity+1 crossposts

Active ScreenConnect phishing campaign abusing a legit Czech ESP (SparkPost / jobote.com) - heads up to fellow IR folks

Sharing a quick heads-up from an active IR case in case it helps anyone else triaging similar emails this week.

A customer received a phishing email that looked like a generic Adobe / DocSend "New Secured Document" lure. Standard stuff on the surface, but the interesting parts:

  • Sender: noreply-<random string>@jobote.com ("Adobe-Docsend" as display name)
  • "View Document" button links to mailtracking.jobote[.]com/f/a/{token} - which is Jobote's own legitimate tracking/redirect subdomain for their referral product, being abused as a clean-reputation redirector
  • Final payload is a ConnectWise ScreenConnect installer - attacker uses it for hands-on-keyboard access after install
  • Reply-To is literally noreply at yourdomain[.]com - an unfilled template placeholder, which is a strong pivot IOC for hunting other emails from the same kit/operator

Phishing Email

ScreenConnect Download Redirection

​Not making any claim about how the jobote[.]com SparkPost tenant got abused (compromised account, stolen API key, abused customer subaccount, etc.) - that's for SparkPost to investigate. But the abuse pattern matches what we've been seeing more broadly: attackers riding low-reputation but legitimate ESP/tracking infrastructure to bypass URL reputation filtering before dropping a remote-access tool.

Pivots worth hunting on:

  • Reply-To containing yourdomain[.]com (placeholder strings in Reply-To = high signal)
  • X-MSFBL header containing customer_id=107475
  • Any mailtracking.jobote[.]com URLs in inbound mail
  • Apple Mail headers on ESP-injected mail (deliberate misdirection or sloppy operator)
  • Reported to SparkPost abuse and notifying Jobote directly so they can rotate keys / audit.
  • Firewall logs for access to cherylbirch[.]com

Disclosure: I work at ZeroBEC. Happy to drop the full writeup in a comment if anyone wants the headers / IOCs to feed into their own tooling.

reddit.com
u/ZeroBEC — 2 days ago
▲ 2 r/phishing

Active ScreenConnect phishing campaign abusing a legit Czech ESP (SparkPost / jobote.com) - heads up to fellow I

Sharing a quick heads-up from an active IR case in case it helps anyone else triaging similar emails this week.

A customer received a phishing email that looked like a generic Adobe / DocSend "New Secured Document" lure. Standard stuff on the surface, but the interesting parts:

  • Sender: noreply-<random string>@ jobote[.]com ("Adobe-Docsend" as display name)
  • "View Document" button links to mailtracking.jobote[.]com/f/a/{token} - which is Jobote's own legitimate tracking/redirect subdomain for their referral product, being abused as a clean-reputation redirector
  • Final payload is a ConnectWise ScreenConnect installer - attacker uses it for hands-on-keyboard access after install
  • Reply-To is literally noreply@ yourdomain[.]com - an unfilled template placeholder, which is a strong pivot IOC for hunting other emails from the same kit/operator

The Email

Redirection Link to Download ScreenConnect

​Not making any claim about how the jobote.com SparkPost tenant got abused (compromised account, stolen API key, abused customer subaccount, etc.) - that's for SparkPost to investigate. But the abuse pattern matches what we've been seeing more broadly: attackers riding low-reputation but legitimate ESP/tracking infrastructure to bypass URL reputation filtering before dropping a remote-access tool.

Pivots worth hunting on:

  • Reply-To containing yourdomain[.]com (placeholder strings in Reply-To = high signal)
  • X-MSFBL header containing customer_id=
  • Any mailtracking.jobote[.]com URLs in inbound mail
  • Apple Mail headers on ESP-injected mail (deliberate misdirection or sloppy operator)
  • Reported to SparkPost abuse and notifying Jobote directly so they can rotate keys / audit.

Disclosure: I work at ZeroBEC. Happy to drop the full writeup in a comment if anyone wants the headers / IOCs to feed into their own tooling.

reddit.com
u/ZeroBEC — 2 days ago