Credential Phishing Attack Poses as Executive’s Bonus Document

In this attack, the executive recipient was instructed to review an attached document and sign it in order to receive their scheduled year-to-date bonus.The email was sent from a Swiss GMX account, which can be obtained freely. The display name of the sender was modified to look like it was coming from an admin account at the company and included the recipient company’s domain. 

When opened, the attached HTML file displayed a phishing page mimicking a Microsoft login page that was pre-populated with the recipient’s email address. 

The URL within the attachment is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators.  This email is sent from a GMX account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. 

HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. An analysis of the HTML file identified a URL that had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious. The sender’s display name resembles an administrator’s account, but is being sent from a non-company email account.

Once an employee enters their credentials, attackers have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.