This phishing campaign uses a sneaky attachment scam
Divides offending JavaScript code in various parts to avoid being flagged
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security researchers have shared details about an activephishingcampaign that is designed to steal the authentication information ofMicrosoft 365users.
Homer Pacag from Trustwave’s SpiderLabs has analyzed thecomplex campaignthat uses a novel approach to targetMicrosoft365 users.
“This phishing campaign design was a little more tricky than usual. By improvising anHTMLemail attachment that incorporates remoteJavaScriptcode located on a free JavaScript hosting site, and ensuring the code is encoded uniquely, the attackers seek to fly under the radar to avoid detection.”
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Click here to start the survey in a new window«
The attack involves sneaking in an HTML file with a convoluted filename that makes it appear as anExcelfile to the casual viewer.
Divide and conquer
Pacag says the email tries best to pass off as a legitimatebusiness email, with a subject that mentions something about a price revision. However, there’s no content in the body save for the attachment. The extension of the attachment makes it appear like an Excel file (.xlsx) and cleverly disguises its real xtension (.htm).
The attachment has a chunk of URL encoded text that points to two URLs that both point toyourjavascript.com, Pacag says has already been used in an earlier phishing campaign.
That site hosts a couple of JavaScript files, both contain large chunks of encoded text. Pacag decoded the text and combined the outputs to reveal 367 lines of HTML code.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The HTML code pops up a message box notification notifying the user that they’ve been logged out of their Microsoft 365 account and need to log in again to view the file.
The user interface of the fraudulent HTML page is designed to mimic the login interface of Microsoft 365, complete with the logo. Pacag notes that the scammers very cleverly show a blurred image of an invoice in the background to trick the viewers to key in their Microsoft 365credentialsin order to view the file.
Once phished, the login credentials are then sent to the threat actors. Pacag concludes by saying that the URL is still online “probably harvesting credentials from its victims.”
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
This new phishing strategy utilizes GitHub comments to distribute malware
Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well
