Key Points
- MCTO3001 - Threat operation with Services Australia and Centrelink impersonation campaigns across multiple sectors
- Infrastructure abuse of legitimate email services (SendGrid, Mailgun, Office 365) with Australian Gov display name
- Campaign objective: Credential harvesting and data theft through government authority impersonation
Campaign Overview
The Mimecast Threat Research team continues to track MCTO3001, a sustained credential harvesting operation that has specifically targeted Australian organizations since 2023. MCTO3001 operates year-round with evolving lure themes, exploiting the authority and trust associated with government communications. The threat actors behind MCTO3001 employ a consistent tactical approach, predominantly utilizing compromised email accounts alongside legitimate bulk email services including SendGrid, Mailgun, and Office 365 infrastructure.
A defining characteristic of MCTO3001 is the systematic use of .gov.au or reference to gov display names paired with non-government sending infrastructure. Email headers consistently show forged or completely absent recipient fields in the "To:" headers, indicating email header manipulation designed to evade detection while maintaining the appearance of official government correspondence. The operation strategically impersonates Services Australia, leveraging detailed knowledge of Australian benefit systems including Superannuation, Medicare, JobSeeker payments, and Family Tax Benefits.
Latest Campaign Analysis
The latest MCTO3001 phishing campaign targets Australian users, particularly those with Centrelink accounts. The primary lure used in this campaign is an email that claims a "detected sign-in" or suspicious login attempt has occurred on the recipient’s Centrelink account.
The email, crafted to closely mimic official Centrelink or myGov communications, urges the recipient to verify their account by clicking a provided link. This social engineering tactic leverages urgency and fear, prompting users to act quickly and without due caution.
Once the victim clicks the link, they are directed to a fake MyGov login page designed to harvest their credentials
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
