Cybercriminals have begun sending out phishing emails after they were able to gain access to one of the email marketing accounts used by the US-based Mexican food chain Chipotle.

According to a new blog post from the email security company Inky, those behind the campaign sent out at least 120 malicious emails in just three days from a hacked Mailgun account that the food chain uses for email marketing.

Cybercriminals often try to obtain legitimate email addresses from businesses as they increase the chances of their phishing emails being delivered since they’ll be able to bypass authentication methods including DomainKeys Identified Mail (DKIM) and Sender Policy Framework.

While the majority of the phishing emails sent from Chipotle’s hacked Mailgun account led users to credential-harvesting sites, a small number also had attachments which contained malware.

Compromised Mailgun account

Many of the emails sent out from the hacked Mailgun account led users to a fake Microsoft login page with the aim of harvesting their credentials. According to Inky, 105 of the 120 malicious emails it detected tired to harvest users Microsoft account credentials.

The emails themselves appeared as if they came from the “Microsoft 365 Message center” and the body of these emails informed recipients that their messages could not be delivered as a result of low email storage in the cloud. When a user then clicked on a button labeled “release messages to inbox”, they would be redirected to a fake login page used to collect their credentials.

In addition to Chipotle, the cybercriminals behind this recent campaign also impersonated the United Services Automobile Association (USAA) and tricked users to visiting a phishing site that appeared to be legitimate at a first glance. The remaining fake emails posed as voicemail notifications that also contained malware attachments.

To prevent falling victim to this and similar phishing scams, Inky recommends that users pay close attention to any discrepancies between a sender’s display name (Microsoft, USAA, VM Caller ID” and the message’s actual email address.

Via BleepingComputer