This phishing campaign uses a sneaky attachment scam

News
By published

Divides offending JavaScript code in various parts to avoid being flagged

Cartoon Phishing
(Image credit: Shutterstock / DRogatnev)

Security researchers have shared details about an active phishing campaign that is designed to steal the authentication information of Microsoft 365 users.

Homer Pacag from Trustwave's SpiderLabs has analyzed the complex campaign that uses a novel approach to target Microsoft 365 users.

“This phishing campaign design was a little more tricky than usual. By improvising an HTML email attachment that incorporates remote JavaScript code located on a free JavaScript hosting site, and ensuring the code is encoded uniquely, the attackers seek to fly under the radar to avoid detection.” 

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

The attack involves sneaking in an HTML file with a convoluted filename that makes it appear as an Excel file to the casual viewer. 

Divide and conquer

Pacag says the email tries best to pass off as a legitimate business email, with a subject that mentions something about a price revision. However, there’s no content in the body save for the attachment. The extension of the attachment makes it appear like an Excel file (.xlsx) and cleverly disguises its real xtension (.htm).

The attachment has a chunk of URL encoded text that points to two URLs that both point to yourjavascript.com, Pacag says has already been used in an earlier phishing campaign.

That site hosts a couple of JavaScript files, both contain large chunks of encoded text. Pacag decoded the text and combined the outputs to reveal 367 lines of HTML code.

The HTML code pops up a message box notification notifying the user that they’ve been logged out of their Microsoft 365 account and need to log in again to view the file.

The user interface of the fraudulent HTML page is designed to mimic the login interface of Microsoft 365, complete with the logo. Pacag notes that the scammers very cleverly show a blurred image of an invoice in the background to trick the viewers to key in their Microsoft 365 credentials in order to view the file.

Once phished, the login credentials are then sent to the threat actors. Pacag concludes by saying that the URL is still online “probably harvesting credentials from its victims.”

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
SVG files are offering cybercriminals an easy way in with new phishing attacks
A padlock resting on a keyboard.
Massive botnet is targeting Microsoft 365 accounts across the world
Latest in Security
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
Latest in News
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations
More about security
Oracle

Oracle denies data breach after hacker claims to hold six million records
IBM office logo

IBM to provide platform for flagship cyber skills programme for girls
Surface Laptop 7

Amazon warns customers about the Surface Laptop – and it’s not just bad news for Microsoft
See more latest
Most Popular
Surface Laptop 7
Amazon warns customers about the Surface Laptop – and it’s not just bad news for Microsoft
vector isometric illustration of a handheld gaming console
SteamOS is about to change handheld gaming PCs as HP finally considers ditching Windows 11
Oracle
Oracle denies data breach after hacker claims to hold six million records
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
De&#039;Longhi Linea Classic espresso machine on kitchen counter with hot and cold coffee drinks
I'm a qualified barista, and De'Longhi's latest espresso machine could be this year's best budget buy for coffee lovers
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party