Trustwave researchers pointed out a new phishing campaign in which attackers used a clever trick to deliver web pages collecting Microsoft Office 365 credentials. The pages were assembled with chunks of HTML code stored locally and remotely.
The attacks started with an email about an investment. An attachment in the email appeared to be an Excel file (.XLSX), but in reality, the file was an HTML document with a chunk of an encoded text.
One of them contained the first part of a phishing page and code that validates the victim’s email and password. Attackers wanted to make sure the password field was not blank and used regular expressions to confirm the victim entered their email address in a valid format.
The second file contained the ‘submit’ button, the ‘form’ tags, and code for a popup message telling victims that they logged out and needed to re-login.
In addition, the campaign operators filled in the victim’s email address automatically to increase the trust. The researchers noted the inventiveness of the attackers and their tricks in this campaign.
Trustwave says the URL receiving the stolen credentials for this campaign is still active. The researchers detailed their findings in a blog post yesterday.