October 24, 2019

Lookout Phishing AI Discovers Campaign Targeting UN and Humanitarian Orgs


At the beginning of October 2019 Lookout researchers discovered a targeted phishing attack focusing on non-governmental organizations around the world, including but not limited to UN and humanitarian organizations. This attack is currently still ongoing and is aimed at employees of these organizations. The phishing pages captured by Lookout attempt to convince a target to enter their organizational Office 365 and Outlook account credentials.

The actor is targeting mobile devices. There is logic in existing JavaScript code of the site that checks if a device accessing the link is a mobile device. This is further confirmed by the fact that the initial part of the subdomain used in the phishing links closely mirror legitimate infrastructure. Only the initial part of the domain is visible in a mobile web browser, so many users won’t recognize this as a phishing attempt.

Lastly, there is also evidence of key logging functionality embedded in the password field of the phishing login pages. Even if a target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by this actor.

Potential impact

Workers at targeted organizations are at risk having their corporate identities taken over, which will compromise sensitive organizational data. This puts the entire organization at risk if the attacker is able to leverage stolen credentials to gain access to organizational infrastructure, and potentially opens the door for persistent threats.

Key Facts about this Phishing Attack

  • That attack targets several United Nations programs, humanitarian institutions, and well-known non-governmental organizations.
  • The attack mirrors the targeted organizations’ login pages for Office 365 and Outlook to steal credentials which will provide access to sensitive information and opens the door for persistent threats.
  • Mobile users are specifically targeted using initial subdomains mirroring legitimate sites that appear correct on smaller screens.
  • With keylogging functionality, anything entered into a field is sent to the attacker, even if a target doesn’t press the login button.



Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Threat Type
Entry Type
Threat Guidances
Platform(s) Affected
Threat Guidances

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.