Security researchers have shared details about an active phishing (opens in new tab) campaign that is designed to steal the authentication information of Microsoft 365 (opens in new tab) users.
Homer Pacag from Trustwave's SpiderLabs has analyzed the complex campaign (opens in new tab) that uses a novel approach to target Microsoft 365 users.
“This phishing campaign design was a little more tricky than usual. By improvising an HTML (opens in new tab) email attachment that incorporates remote JavaScript (opens in new tab) code located on a free JavaScript hosting site, and ensuring the code is encoded uniquely, the attackers seek to fly under the radar to avoid detection.”
- Here's our choice of the best malware removal (opens in new tab) software on the market
- We've put together a list of the best endpoint protection (opens in new tab) software
- These are the best identity theft protection (opens in new tab) tools
The attack involves sneaking in an HTML file with a convoluted filename that makes it appear as an Excel (opens in new tab) file to the casual viewer.
Divide and conquer
Pacag says the email tries best to pass off as a legitimate business email (opens in new tab), with a subject that mentions something about a price revision. However, there’s no content in the body save for the attachment. The extension of the attachment makes it appear like an Excel file (.xlsx) and cleverly disguises its real xtension (.htm).
The attachment has a chunk of URL encoded text that points to two URLs that both point to yourjavascript.com, Pacag says has already been used in an earlier phishing campaign.
That site hosts a couple of JavaScript files, both contain large chunks of encoded text. Pacag decoded the text and combined the outputs to reveal 367 lines of HTML code.
The HTML code pops up a message box notification notifying the user that they’ve been logged out of their Microsoft 365 account and need to log in again to view the file.
The user interface of the fraudulent HTML page is designed to mimic the login interface of Microsoft 365, complete with the logo. Pacag notes that the scammers very cleverly show a blurred image of an invoice in the background to trick the viewers to key in their Microsoft 365 credentials (opens in new tab) in order to view the file.
Once phished, the login credentials are then sent to the threat actors. Pacag concludes by saying that the URL is still online “probably harvesting credentials from its victims.”
- Protect your devices with these best antivirus software (opens in new tab)