In this attack, the email is designed to look like a secure document in order to hide the fact that it is a malicious HTML file that leads to a phishing site. The threat actor uses a sending email address identical to the email recipient, indicating that this email has been spoofed. 

This self-addressed message contains no content in the actual body of the email, just an HTML attachment that leads to a Microsoft phishing page. The subject line “Settlement Release Signed” encourages the recipient to click through to the HTML attachment titled “Release Approved”.

Status Bar Dots
Settlement release email

Once the recipient clicks through the attachment to the phishing page, they are presented with a landing page that requests credentials in order to view the signed settlement release referenced in the subject line of the email. By doing this, the email appears to be a normal secure message requiring you to log in to view the attachment.

Status Bar Dots
Settlement release phishing page

Why It Bypassed Traditional Security

As the URL within the attachment has not been previously detected as malicious, it can bypass traditional tools that look for known bad indicators.

Detecting the Attack

A behavioral system is required to stop attacks that use never-before-seen URLs. When a cloud email security platform understands the intent of the link and other signals acquired through content analysis, it can detect malicious emails that otherwise would have been missed. This email appears to have identical sending and receiving addresses, which indicates that it may be malicious.

Risk to Organization

As soon as an employee enters his or her credentials, attackers can access their Microsoft 365 email account, which they can use to find sensitive information or to launch attacks against coworkers, customers, or vendors. This also provides access to the entire Microsoft environment, where attackers can search through documents in SharePoint or OneDrive, or find information in Microsoft Teams.

Analysis Overview

Vector

Payload-based

Goal

Credential Theft

Tactic

Self-Addressed Spoofed Email

Theme

Secure Message
Fake Document

Impersonated Party

Employee - Other