Payload Credential Phishing Attack Incorporates a Tax Refund Theme

This attack was  designed to resemble a tax refund document sent via secure message. It was sent to a company executive by spoofing their email address, making it look like they sent the document to themselves. The sender’s display name, however, was set to the target company’s name rather than the targeted employee’s name. The body of the email was blank and only contained an HTML attachment with the filename “copy00248.html.”.

Upon opening the attached HTML file, the recipient would have been directed to a phishing page pre-populated with their email address. The phishing page stated that the recipient must authenticate themselves by verifying their account password “because you’re accessing sensitive info.” The phishing page was also customized with a background containing the target company’s branding and the company’s logo in the login prompt. 

Because there was no text in the body of the email, natural language processing had nothing to analyze that would indicate malicious intent. The URL within the attachment had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. 

A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious. HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. The sending and receiving email addresses in this email appeared to be identical, which is an indicator that this message is potentially malicious.

Because the phishing page contained company-specific branding, it may lead an employee to mistakenly believe that it is a legitimate login page. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.