Capital One Customers Targeted By Credential Harvesting Phishing Campaign

The KnowBe4 Threat Lab has identified an active phishing campaign impersonating Capital One.

The attacks are sent from compromised email accounts to help them evade reputation-based detection by native security and secure email gateways (SEGs).

Once delivered, the attacks use stylized HTML templates and brand impersonation to trick the recipient into believing the communications are legitimate. 

Recipients who fall victim are directed to credential-harvesting websites. At this point, the campaign demonstrates significant infrastructure scale, operating across multiple domains with the capacity to rotate them to evade signature-based detection. 

This campaign also ties into wider attack trends we’ve observed recently, including attackers prioritizing compromise of legitimate email accounts over the creation of fake ones; social engineering becoming more sophisticated and contextual; and the growing gap of what legacy detection tools can identify. 

Phishing Attack Summary

Vector and type: Email phishing
Primary techniques: Brand impersonation, credential harvesting websites
Targets: Organizations globally
Platform: Microsoft 365
Bypassed native and SEG detection: Yes

Brand Impersonation Targeting Capital One Customers

While the phishing emails are sent to a broader distribution list, the cybercriminals are opportunistically hoping that Capital One customers will fall victim to the attacks and share their online banking credentials.

The phishing emails leverage stylized templates with perfect rendering of the Capital One brand, which is aimed at duping recipients into believing these are legitimate emails. The attacks center on security and IT themes, such as fraud and online account access. These topics can socially engineer victims by creating feelings of panic and urgency (for example, if they believe they are a victim of fraud), as well as asking them to take specific actions to negate any effects. 

Unfortunately, however, instead of being directed to legitimate Capital One services, instead victims are sent to credential harvesting websites. 

Example 1: Phishing email sent as part of Capital One credential harvesting campaign, prompting a user to restore their account following potential fraud attempt. Reported by PhishER. 

Example 2: Security-themed phishing email sent as part of Capital One credential harvesting campaign, prompting a user to unlock their account. Reported by PhishER. 

Example 3: Phishing email sent as part of Capital One credential harvesting campaign, asking a user to confirm or reject a suspicious purchase. Reported by PhishER. 

The attacks our team observed were predominantly sent from compromised accounts within the education sector. These accounts can be linked to a credential harvesting campaign targeting schools that we reported earlier this year. Using compromised accounts helps the attacks to establish sender legitimacy and evade reputation-based detection by SEGs and native security. 

URLs in the attacks we analyzed had been shortened using X’s (formerly Twitter) legitimate URL shortening service, obfuscating their end destination from the recipient.

Examples of Security-themed Subject Lines Observed in These Attacks

• “Notice: Account Access Restricted Due to Security Concerns”
• “Your Online Account Has Been Temporarily Suspended”
• “Your Capital One Card Payment Is Under Review”
• “Your Account Access Has Been Restored”
• “Card Temporarily Locked - Suspicious Purchase Detected”

Technical Measures to Exfiltrate Credentials

Victims are directed to phishing websites that impersonate Capital One, aiming to steal online banking credentials. 

By analyzing these webpages, our team identified that cybercriminals were utilizing a domain separation technique to enhance their operational security. Compromised credentials are sent via an entirely separate infrastructure to that used to host the phishing websites. 

Defending Against a Sophisticated Phishing Ecosystem

This campaign demonstrates numerous tactics, techniques and procedures (TTPs) that cybercriminals are taking to help increase the deliverability and overall “success” of their phishing attacks. 

In particular, the use of compromised legitimate accounts harvested as part of an earlier campaign demonstrates the ever-growing sophistication of the cybersecurity ecosystem. Ultimately, where one attack ends, another begins — and organizations must urgently break this chain. 

Additionally, we can also see the social engineering pressure used to leverage targets, who will typically (and very naturally) be concerned about the security of their bank account and identity. In general, the rise of GenAI has led to an overall increase in sophistication of attacks and, specifically, social engineering. With a short prompt and the click of a button, attackers can generate highly targeted attacks that have psychological “tricks, "such as creating a sense of urgency or fear, embedded in them.

Finally, this attack shows that legacy detection can be bypassed with the right TTPs (e.g. using compromised legitimate email addresses to send attacks). It makes sense: with the widespread adoption of signature-based and reputation-based detection, every attacker will know that they need to outsmart these mechanisms to improve the deliverability of their phishing emails.  

As threats continue to grow in sophistication, here are three key considerations to detect — and prevent — these advanced phishing attacks: 

• Enhanced email security: This campaign demonstrated the technical measures cybercriminals use to evade the traditional signature-based and reputation-based security found in SEGs and native security. In fact, given their widespread adoption, bypassing these systems is simply “the cost of doing business” for cybercriminals. Organizations should therefore implement enhanced cloud email security that uses AI-powered detection mechanisms to neutralize a broader spectrum of threats 

• Train your employees using real threats! By automatically flipping real phishing emails into neutralized simulations, employees benefit from timely, hyper-personalized and realistic training. This makes training and simulations more meaningful and, consequently, stickier by improving employees’ awareness of the actual threats targeting them 

Continuous micro-training delivers results on a macro level: Whether through context-based banners and prompts on emails, or continuous coaching via AI agents, people need their cybersecurity platforms to deliver personalized real-time interventions and coaching to help them continuously make the right security decisions. This approach reduces organization-wide human risk for the long term.