HC3 TLP White Sector Alert: Phishing Campaigns Leveraging Legitimate Email Marketing Platforms April 7, 2022

Executive Summary

HC3 is aware of a breach affecting a legitimate email marketing platform to send phishing emails. While this campaign targeted users in the cryptocurrency and financial sectors, it is possible the unauthorized access may be leveraged to target users in the Healthcare and Public Health (HPH) sector. These organizations should be aware of this threat and take the corresponding mitigations.

Report

PSA: Watch out for phishing emails from genuine mailing lists, following Mailchimp hack (April 5, 2022) https://9to5mac.com/2022/04/05/mailchimp-hack-phishing-alert/

Analysis

On April 4, 2022, the email marketing platform company, Mailchimp, confirmed a breach impacting one of the company’s internal tools used by its customer support and account administration teams. Although Mailchimp deactivated the compromised employee accounts after learning of the breach, the threat actors were able to view around 300 Mailchimp user accounts and obtain audience data from 102 of them, according to the company’s CISO. The threat actors were also able to access API keys for an undisclosed number of customers which would allow them to create custom email campaigns such as phishing campaigns and send them to mailing lists without accessing the MailChimp customer portal. While HC3 is currently only aware of a phishing campaign abusing this unauthorized access to send a fake data breach notification emails to users in the cryptocurrency and finance sectors (which was reportedly executed with exceptional sophistication and planning), the Healthcare and Public Health (HPH) sector should remain cautious of suspicious emails originating from legitimate email marketing platforms such as MailChimp. It is important to note that APT groups have previously leveraged legitimate mass-mailing services in malicious email campaigns to target a wide variety of organizations and industry verticals.

View the detailed report below.