There are reports of a widespread business email compromise (BEC) phishing campaign across multiple industries which involves impersonation of a senior executive and targets other senior executives within an organization. The spoofed email states that a planned board meeting needs to be rescheduled and requests participation in a Doodle poll to identify a new date for the meeting. The poll requests entry of personal information via an Office 365 credential theft site. Additional known facts include:
- The subject line of these emails has consistently appeared as: New Message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)
- The Doodle poll links to an Office 365 credential theft site, with a primary domain ending in web.core.windows.net.
The following is a sample of the phishing message:
Image courtesy of GreatHorn
On mobile devices, the phishing message may appear as follows:
Image courtesy of GreatHorn