Phishing Email – 2021-04-27

I’ve had several users reporting phishing emails. Lets look at one of them.

A user received an email that just said “You’ve recieved [sic] a document on Onedrive.” It had an attached HTML document. They correctly reported it (yay!) and I looked at it. And it looks like a lazy scammer, because it should probably say “You’ve received a voicemail“. But more on that later.

First of all, I have HTML files opening by default in VSCodium (so I can’t accidentally run any of this), but if you open the file it looks… well horrible.

And this goes on and on and on

Now, as I’m not Neo, I don’t know what that means. But the cyberchef tool from GCHQ will tell you. Just run the URL decode function, which should be right here. Copy and paste the bits between unescape(‘THE BITS HERE’) and drop it in to cyberchef to see the HTML code created

Looks like making a fake Microsoft login page there. You can quickly look at the URLs it tries to load to have a quick look and what is going on

Nothing particularly odd here (yet). Using bootstrap and cloudflare, which makes sense as that would look ‘normal’ if you are checking. But that was just the first of three encoded bits. The second looks more interesting (email highlighted edited to a nonsense one)

CyberChef again to the rescue to see

And there is the fake login

Now let’s look at the third section and any http links

Well that looks interesting. Looks like it sends the email address there (I’m sure to autopopulate to make it look more legitimate). There are two more links that are interesting. Lets look at the first one

This time sending the username and password to that website for attempting to log in to Microsoft. That website doesn’t appear to be working right. Now lets look at the other interesting link

This one is the most interesting, and why I think it should have said voicemail and not document. If you go there, it plays an archive.org file of a voicemail saying “Hi, please give me a call, thank you, bye“. This might actually possibly the cleverest bit of this as you just think it’s a wrong number and move on. If you click something and nothing happens, you start to question it. If you click something and something opens, you don’t.

Now this is as far as I’m taking it. The website is down, my user didn’t click the link, and the email was spoofed from the user, so there isn’t really much more I can do. If the website was up, it wouldn’t be too hard to set up a python script to make up random email addresses and passwords, but in my mind that crosses the line unless you can guarantee that only email addresses you control are used. While it’s astronomically unlikely you will get a valid username and password, you might end up locking a valid email account out.

Until next time, stay safe out there.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s