top of page

Malicious eFax Attachments Can Potentially Steal Your Microsoft O365 Password

In this blog post, we describe a phishing attack observed by Polito, Inc., which uses an obfuscated JavaScript attachment. We will then show how to analyze the malicious obfuscated JavaScript by following the attack chain through some static and dynamic testing. It will show how the analyzed code was designed to capture Microsoft O365 credentials and upload them to a website.


This specific attack is interesting; attackers are often looking for new and creative ways to deliver their payloads. Their purpose in doing so is multi-folded:

  • An attempt to bypass security products

  • An attempt to bypass security training

  • An attempt to harvest credentials from unsuspecting users

Even potential victims may have been trained to avoid opening documents, scripts, and executables from unknown senders, it is nowadays important to be careful with almost any file type.


Malicious file attachment:

To protect the privacy of the individual that received this file, all identifying information has either been redacted or obscured.


An executive received a suspicious email, which they were concerned was sent by a threat actor. The email looked like an eFax message with a poorly worded .htm attachment. The attachment appeared to be a recycled lure of a voicemail attachment as can be seen by the Play button and the 37 secs in the file description.


Figure 1 - Spam email with the attachment


Malware analysis:

The initial phishing message was sent via an attached.htm file named “(redacted) ▶ ─────── 01mins37secs.htm”. The individual did not open the email, but sent a copy of the attachment for analysis. We were unable to obtain email headers of the original email.


Static Analysis:

I first opened the .htm file using Notepad++ to gain initial insight. I could see that this file contained obfuscated JavaScript programing language.


Figure 2 - Partially obfuscated JavaScript Code


The first step was attempt to de-obfuscate the code. I used an online tool from Coder’s Toolbox to perform this, with the settings for URL, Decode, and US-ASCII. This approach provided an output of readable code:


Figure 3 - Using Coder’s Toolbox to de-obfuscate the JavaScript Code


I then used another online tool named js-beautify to clean up the code and make it more presentable:


Figure 4 - Using js-beautify to clean up the JavaScript Code


  • Line 3: Contains the recipient of the phishing email

  • Line 4: Contains a Base64 encoded URL link to a php file

  • Line 6: Is a self-contained webpage that replicated a Microsoft Login page


Since this code contained an URI Component, it was time to extract some more information. I used Mozilla’s developer tool decodeURI() by pasting in the portions in-between the script and we got what was a prompt to enter our Microsoft Password:


Figure 5 - Prompt to enter a password

Dynamic Analysis:

Using Developer tools from Google Chrome and reloading the .htm page, we can gain some insightful information from the Headers. Here we can see a request to a URL that calls file labeled “o365.php”.


Figure 6 - Headers of the .htm file


Through a series of JavaScript commands and encodings the captured information, along with other information such as IP address and User-Agent String, are uploaded to the follow URL: https[:]//redacted/../o365logz.txt

Figure 7 – Web directory of the malicious URL


Figure 8 – Information that is upload and stored by the malicious code


How was this possible?

Providers such as Google, flag malicious websites when they present a risk for users in the form of malware. From what it appears, this site has only been around for approximately 4 months, and is not flagged as malicious by a few vendors.


Figure 9 – VirusTotal giving a clean score to the malicious URL


Figure 10 – AlienVault not seeing any activity associated with the site

How can you protect yourself?

Since spam and phishing emails can take a variety of forms, we suggest the following:

  • Never open emails and/or attachments from untrusted sources. If you have received an email that looks “out of the norm”, it is always better to report it to your IT support team or email provider

  • Never enter you credentials in a website that is missing the “https” in the beginning of the URL e.g. “https[:]//login.microsoft.com” is the correct URL. The URL “http[:]//login.microssoft.com” is not

  • Block the spam email address

  • Delete the spam email message

  • Keep your device’s OS, software and anti-malware software up to date


Comments


bottom of page