Holt, Renfrew & Co. Ltd.
un April 9, 2020, the Organization?s IT department was notified about a phishing attack and potential password compromise. The Organization discovered that on April 8, 2020, a phishing email was sent to six employees from a legitimate email account associated with one of the Organization?s concession partners. The phishing email was designed to prompt email recipients to click a link to download several documents. The link in the email took users to a Microsoft OneNote page that prompted users to click another link to download the documents securely. This second link took users to a fake Microsoft Office 365 login page that was designed to harvest the user?s credentials. The investigation found that the threat actor successfully obtained two employees? email credentials through this phishing attempt. The threat actor made use of those credentials on April 8 and 9, 2020, and interacted with the employees? mailboxes, including creating inbox rules to evade detection.