Chipotle's Email Marketing Account Compromised to Spread Malware


In mid-July, a new phishing attack was detected that used a compromised mailing service account. In the four days between July 13, 2021, and July 16, 2021, the anti-phishing company uncovered 121 phishing emails in this campaign. 

In May 2021, Nobelium (suspected of being behind the SolarWinds attack) tried a similar phishing method. Microsoft reported in May on a Nobelium campaign in which fraudulent emails were delivered to 3,000 accounts across 150 companies in 24 countries. All of the fraudulent emails were sent by Constant Contact mailing service, using the hacked account of the US Agency for International Development (USAID). 

Inky, the anti-phishing firm identified the new campaign, and the amount is likely to be a small fraction of the overall number of emails sent. Inky states in its study that it is examining if the current campaign was initiated by the same threat actor or by copycat criminals using the same approach as Nobelium. 

The method comprises of hacking into a legitimate mail service user's account. The account used in the most recent instance belonged to Chipotle, a fast-food chain, and the mail provider used was Mailgun. Because the emails look authentic from high-reputation sources, this approach has a high success rate. 

Since they come from a high-reputation IP address (Mailgun: and pass SPF and DKIM authentication, the emails clear various automated phish detection systems. 

Two were vishing attacks (phony voicemail alerts with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft, out of 121 phishing emails discovered. Inky does not specify what malware was used in the vishing attacks, nor does it mention the firms which were phished. 

A mail.chipotle[.]com link in the 14 USAA bank impersonations was linked to a fake and fraudulent USAA Bank credential harvesting site. The credential harvesting site is a convincing copy of the legitimate bank site, along with a flawless logo of USAA logo. 

The researchers commented, “The black hats can make these pages by simply cloning the real page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born.” 

The majority of phishing emails masquerade to be from Microsoft. This is predictable, given that nearly everyone has a Microsoft account, and almost all store a wealth of information (such as other logins, trade secrets, financial details, and more). 

In the sample presented by Inky, the email is sent by ‘Microsoft 365 Message Center'. The subject reads, “You have (7) clustered/undelivered emails 16 July 2021,” This should not mislead an informed user who wonders why Microsoft is sending emails through a fast-food chain, but it may deceive automated detection systems that depend largely on the sender reputations. 

The email's body is a classic fraud trap. Seven emails from the target have been held up due to storage difficulties, but they are now ready for collection (the curiosity trigger). Ignoring the notification may result in the account being disabled (the fear trigger). Then there's a button that says "Release messages to the inbox." The user is sent to a credential harvesting fake Microsoft login page when they click this button. 

The difference between the sender's name (in this case, Microsoft, USAA, and VM Caller ID) and the actual email sender (in this case, postmaster[@]chipotle[.]com) is the key to identifying this sort of phishing email. The former is unlikely to send emails using the latter. However, on the other hand, secure email gateways frequently rely on verifying simply whether the sending domain is authentic and that the email is coming from an approved range of IP addresses.