Summary: On Oct 21, the odix team detected a file-based phishing malware in an email attachment that was blocked by the FileWall system.  The blocked attachment redirected the user to a credential-stealing website created to mimic the Microsoft login. If entered, the user credentials were sent to the attacker’s web server hosted on an Amazon server without any sign of infiltration and as a direct result leaves the user’s data and privacy at significant risk.

Analysis:

Step 1: An email was sent from the domain member[.]mso365officeowa[.]com. The sender’s name, subject, and malicious attachment all contained the company name of the target.

Step 2: The malicious HTML attachment does not contain any displayable content except for a redirection to the attacker’s fake login page (image 1). A dynamic component in the HTML file is modified per target to ensure that the various malicious files generated will have distinct hashes to avoid detection by signature-based security mechanisms.

IMAGE 1: redirection in the HTM attachment

Step 3: After redirection, the user sees the login page shown in image 2. An almost exact copy of the Microsoft login page.

IMAGE 2: Fake Microsoft login page

Step 4: When the user enters their credentials, the information is sent to an amazon hosted web server and then the damage begins.

Amazon security teams were notified about the misuse of their infrastructure. As of the writing of these rows, the URLs used in this attack have zero detections in Virus Total.

Conclusion:

  1. Always look at the address bar before entering your credentials.
  2. Make sure that the URL shown belongs to the service you are using.
  3. Make sure the login page uses HTTPS and the certificate is valid and matches the service provider.
  4. Do not open HTML files unless they came from a trusted source.
  5. For admins: HTML files are easy vectors to deliver secondary malicious URLs. If possible do not allow your users to receive HTML files.

IOC (Indicator of compromise):

http://7opnese[.]s3-website[.]eu-west-3[.]amazonaws[.]com/index[.]html

http://ec2-52-15-198-232[.]us-east-2[.]compute[.]amazonaws[.]com/post[.]php

To learn more about how CDR can prevent zero-day attacks and increase your email security visit odi-x.com/solutions