Credential Phishing Attack Poses as an Automated Aging Report Notification
In this attack, the subject of the email indicated the purpose of the message was to share a recent copy of a financial aging report. The body of the email was blank, but contained an HTML attachment named “AGING STATEMENT REPORT.htm.” The email was sent from a spoofed copy of the recipient’s own address and, rather than including a sender’s name, the sending display name included “Notification for” followed by the recipient’s email username, which makes the message look like it was sent by an automated internal system.
Had the recipient opened the attached HTML file, they would have been presented with a crude version of a Microsoft Outlook login page, indicating they would need to enter their credentials in order to view the document. The phishing page was designed to be prefilled with the target’s email address, so only the password would need to be entered.
How Does This Attack Bypass Email Defenses?
Because there was no text in the body of the email, natural language processing had nothing to analyze that would indicate malicious intent. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain. IOCs associated with the HTML attachment, such as file hash, had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators.
How Can This Attack Be Detected?
HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. The sender’s display name resembles an administrator account; however, the email address has never been used to communicate with employees at the company. The sending and receiving email addresses in this email appeared to be identical, which is an indicator that this message is potentially malicious.
What are the Risks of This Attack?
If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.