Recently discovered a highly targeted phishing campaign against healthcare organizations that utilize Citrix Gateway. The attackers pull web resources directly from the target’s storefront page as you can see in the example landing page. The landing page is served from a previously compromised website with the format of hxxp://compromised[.]com/targetname/targetwebsite[.]com.html. The earliest known appearance of the healthcare specific campaign occurred on February 12th 2019.
Example landing page:
Subject: IMPORTANT: Email Alert