An Increase in Phishing Attempts

We are again seeing an increase in phishing email attempts as well as some altered tactics by the attackers. You likely have seen these emails in your inboxes recently. If not, consider yourself fortunate.

What these new phishing attacks look like.

HTML Smuggling

HTML smuggling is one of the latest mainstream methods for delivering malware via email and are increasing in frequency, you can read more about this at Trustwave.

I received the following email earlier today, part of my motivation for writing this, and was disappointed with the representation of it via Outlook since I couldn’t see what kind of file was attached without clicking on something. Clicking on something in a questionable email is a scary proposition since you are unsure what it is.

1. The first give away was the sender’s email address which was completely foreign to me. Always, always, always look at where the email is coming from. If you don’t recognize the sender then proceed with caution.

2. The second issue with this email was the Subject. I know the phone systems we have and the formatting of the emails that it sends out and this was definately not in the proper formating… So this was strike two.

3. The attachments may look benign, an.htm file, but further analysis indicated to me that they were most likely carrying a payload that will execute bad code on my computer. We can tell by looking into the code of the email and seeing that the htm attachment is tagged as HTML and encoded base64. Normally the HTML is not encoded at all but will normally be plain text and legible. Bad actors will use base64 to obfuscate or hide the code from view yet still be able to execute.

The following image is the same email viewed in Thunderbird email client. One of the nice things about Thunderbird, other than it is a free application, is that you can easily see attachment names and From addresses very easy in contrast to many other clients.

When we investigate the email contents as plain text we can see that the attached file is treated as an application (to be executed) and is encoded base64.

The complete attachment consumes over 1000 lines of 80 characters per line that will execute something on your system if you try to open it.

Combination – Pharming, HTTPS Phishing and Image Phishing

All of the listed names in the header above are types of phishing attempts. You need not worry about their names, but you do need to be aware of what these types of attacks look like. I just happened to aquire this email today as well so without further delay…

1. The email address is a horrible mess causing it not to pass the smell test right away. There is something very wrong with the To address that we need to address with our email provider, in this case Microsoft 365.
2. The link for PRINT | REVIEW DOCS HERE goes to a domain that is not legible yet is a legit domain with routable IP addresses meaning that, it is live.
3. Under the Preferences there were numerous attached files that were not legible names. Again these are likely obfuscated to keep users from questioning what they are or are for.

Emails like this one have many methods to hook you. The fact that the bad actors are seldom prosecuted they are getting better with honing their craft to make it look as legit as possible.

If you have any questions regarding the legitimacy of an email please seek the advice of a trusted professional. The potential for losses are great as this is by far the best method for malware and ransomware to infiltrate systems.