Heads up! You need to know about a new phishing attack utilizing a new technique that's just plain nasty.
These emails are appearing to come from contacts users know at another organization. In the screenshot below, you can see that at least one of the emails appeared to be a reply to an existing email thread, where users at the two organizations had been emailing back and forth.
The new message was noticeably short — "Morning, please see attached and confirm" (you probably see where this is going) — but in the context of the email chain it was very convincing. The email appears to come from a person at a company the receiver has been emailing with, and this message appears to be a reply to a legit email chain. Here is a picture of how it looks:
The aim was to have the user open the Word attachment, and follow instructions to enable macros, thereby infecting the system with a new variant of Ursnif, one of the most active and widespread banking Trojans in the world. It looks like the evil masterminds behind Ursnif are now taking it one step further and use the compromised email accounts of its victims to spread the infection like a worm.
What makes this social engineering attack so tricky is that the email pictured wasn't just coming from an organization the recipient knew and had been emailing with, it came as a reply to an existing email chain. That is a hard one for anyone not to fall for, so its critical that all of us really stay on our toes to catch this one.