Email-based attacks continue to make novel attempts to bypass email security solutions. In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions.<\/p>\n
To defend organizations against this campaign and similar threats, Microsoft Defender for Office 365<\/a> uses multiple layers of dynamic protection technologies backed by security expert monitoring of email campaigns. Rich email threat data from Defender for Office 365 informs Microsoft 365 Defender<\/a>, which provides coordinated defense against follow-on attacks that use credentials stolen through phishing. Microsoft 365 Defender does this by correlating threat data from email, endpoints, identities, and cloud apps to provide cross-domain defense.<\/p>\n The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line.<\/p>\n The email attachment is an HTML file, but the file extension is modified to any or variations of the following:<\/p>\n Figure 1. Sample phishing email message with the HTML attachment<\/em><\/p>\n Using xls<\/em> in the attachment file name is meant to prompt users to expect an Excel file. When the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. Notably, the dialog box may display information about its targets, such as their email address and, in some instances, their company logo. See below:<\/p>\n Figure 2. Sample credentials dialog box with a blurred Excel image in the background. If the target user\u2019s organization\u2019s logo is available, the dialog box will display it. Otherwise, it displays Office 365 logos.<\/em><\/p>\n The dialog box prompts the user to re-enter their password, because their access to the Excel document has supposedly timed out. However, if the user enters their password, they receive a fake note that the submitted password is incorrect. Meanwhile, the attacker-controlled phishing kit running in the background harvests the password and other information about the user.<\/p>\n This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls. As previously mentioned, the HTML attachment is divided into several segments, which are then encoded using various encoding mechanisms. To illustrate, this phishing attack\u2019s segments are deconstructed in the following diagram:<\/p>\n Figure 3. Anatomy of a phishing campaign<\/em><\/p>\n As seen in the previous diagram, Segments 1 and 2 contain encoded information about a target user\u2019s email address and organization. Not only do these details enhance a campaign\u2019s social engineering lure, but they also suggest that the attackers have conducted prior recon on the target recipients.<\/p>\n Regular updates of encoding methods prove that the attackers are aware of the need to change their routines to evade security technologies.<\/p>\n Below is a timeline of the encoding mechanisms this phishing campaign used from July 2020 to July 2021:<\/p>\n Figure 4. Timeline of the xls\/xslx.html phishing campaign and encoding techniques used<\/em><\/p>\n Based on the campaign\u2019s ten iterations we have observed over the course of this period, we can break down its evolution into the phases outlined below. For a complete list of social engineering lures, attachment file names, JavaScript file names, phishing URLs, and domains observed in these attacks, refer to the Appendix.<\/p>\n The first iteration of this phishing campaign we observed last July 2020 (which used the \u201cPayment receipt\u201d lure) had all the identified segments such as the user mail identification (ID) and the final landing page coded in plaintext HTML. However, this changed in the following month\u2019s wave (\u201cContract\u201d) when the organization\u2019s logo\u2014obtained from third-party sites\u2014and the link to the phishing kit were encoded using Escape.<\/p>\n Figure 5. Attack segments in the HTML code in the July 2020 wave<\/em><\/p>\n Figure 6. Embedded phishing kit domain and target organization\u2019s logo in the HTML code in the August 2020 wave<\/em><\/p>\n Beginning with a wave in the latter part of August 2020, the actual code segments that display the blurred Excel background and load the phishing kit were removed from the HTML attachment. These were replaced with links to JavaScript files that, in turn, were hosted on a free JavaScript hosting site.<\/p>\n The segments, links, and the actual JavaScript files were then encoded using at least two layers or combinations of encoding mechanisms. We have observed this tactic in several subsequent iterations as well. For example, inside the HTML code of the attachment in the November 2020 wave (\u201cOrganization name\u201d), the two links to the JavaScript files were encoded together in two steps\u2014first in Base64, then in ASCII. Meanwhile, the user mail ID and the organization\u2019s logo in the HTML file were encoded in Base64, and the actual JavaScript files were encoded in Escape.<\/p>\n Figure 7. HTML code containing the encoded JavaScript in the November 2020 wave<\/em><\/p>\n Figure 8. First level of encoding using Base64, side by side with decoded string<\/em><\/p>\n Figure 9. Second level of encoding using ASCII, side by side with decoded string<\/em><\/p>\n Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (\u201cOrganization report\/invoice\u201d) and May 2021 (\u201cPayroll\u201d) waves.<\/p>\n In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.<\/p>\n Figure 10. Morse code-encoded embedded JavaScript in the February 2021 wave, as decoded at runtime<\/em><\/p>\n While earlier iterations of this campaign use multiple encoding mechanisms by segment, we have observed a couple of recent waves that added one or more layers of encoding to \u201cwrap\u201d the entire HTML attachment itself. For example, in the March 2021 wave (\u201cInvoice\u201d), the user mail ID was encoded in Base64. Meanwhile, the links to the JavaScript files were encoded in ASCII before encoding it again with the rest of the HTML code in Escape.<\/p>\n This was seen again in the May 2021 iteration, as described previously. In the June 2021 wave, (\u201cOutstanding clearance slip\u201d), the link to the JavaScript file was encoded in ASCII while the domain name of the phishing kit URL was encoded in Escape. The entire HTML attachment was then encoded using Base64 first, then with a second level of obfuscation using Char coding (delimiter:Comma, Base:10).<\/p>\n Figure 11. Multilayer-encoded HTML in the June 2021 wave, as decoded at runtime<\/em><\/p>\n In the May 2021 wave, a new module was introduced that used hxxps:\/\/showips[.]com\/api\/geoip\/<\/em> to fetch the user\u2019s IP address and country data and sent them to a command and control (C2) server. As previously mentioned, attackers could use such information, along with usernames and passwords, as their initial entry point for later infiltration attempts.<\/p>\n Figure 12. Script that collects a user\u2019s IP address and location in the May 2021 wave<\/em><\/p>\n In the July 2021 wave (\u201cPurchase order\u201d), instead of displaying a fake error message once the user typed their password, the phishing kit redirected them to the legitimate Office 365 page.<\/p>\n Figure 13. User\u2019s credentials being posted to the attacker\u2019s C2 server while the user is redirected to the legitimate Office 365 page<\/em><\/p>\n The highly evasive nature of this threat and the speed with which it attempts to evolve requires comprehensive protection. Microsoft Defender for Office 365<\/a> detects malicious emails from this phishing campaign through diverse, multi-layered, and cloud-based machine learning models and dynamic analysis. In addition to inspecting emails and attachments based on known malicious signals, Microsoft Defender for Office 365 leverages learning models that inspect email message and header properties to determine the reputation of both the sender (for example, sender IP reputation) and recipient of the message.<\/p>\n Microsoft Defender for Office 365 has a built-in sandbox where files and URLs are detonated and examined for maliciousness, such as specific file characteristics, processes called, and other behavior. For this phishing campaign, once the HTML attachment runs on the sandbox, rules check which websites are opened, if the JavaScript files decoded are malicious or not, and even if the images used are spoofed or legitimate.<\/p>\n Microsoft Defender for Office 365 is also backed by Microsoft experts who continuously monitor the threat landscape for new attacker tools and techniques. The speed that attackers use to update their obfuscation and encoding techniques demonstrates the level of monitoring expertise required to enrich intelligence for this campaign type.<\/p>\n Threat data from other Microsoft 365 Defender<\/a> services enhance protections delivered by Microsoft Defender for Office 365 to help detect and block malicious components related to this campaign and the other attacks that may stem from credentials this campaign steals. Microsoft 365 Defender correlates threat data on files, URLs, and emails to provide coordinated defense.<\/p>\n Finally, this blog entry details the techniques attackers used in each iteration of the campaign, enabling defenders to enhance their protection strategy against these emerging threats. Defenders can apply the security configurations and other prescribed mitigations that follow. Defenders can also run the provided custom queries using advanced hunting in Microsoft 365 Defender to proactively check their network for attacks related to this campaign.<\/p>\n Apply these mitigations to reduce the impact of this threat:<\/p>\n Alerts with the following title in the Microsoft 365 Security Center can indicate threat activity in your network:<\/p>\n Microsoft Defender Antivirus detects threat components as the following malware:<\/p>\n To locate specific attachments related to this campaign, run the following query:<\/p>\n Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365<\/a>.<\/p>\n \u00a0<\/em><\/strong><\/p>\n HTML attachment name format:<\/strong><\/p>\n Blurred Excel background images: <\/strong><\/p>\n Phishing domain:<\/strong><\/p>\n HTML attachment name format:<\/strong><\/p>\n Links to organization logos:<\/strong><\/p>\n Phishing domains: <\/strong><\/p>\n HTML attachment name format:<\/strong><\/p>\n Hosted JavaScript files:<\/strong><\/p>\n Phishing domain:<\/strong><\/p>\n HTML attachment name format:<\/strong><\/p>\n Hosted JavaScript files:<\/strong><\/p>\n Phishing domain:<\/strong><\/p>\n HTML attachment name format:<\/strong><\/p>\n Hosted JavaScript files:<\/strong><\/p>\n Phishing domain: <\/strong><\/p>\n HTML attachment name formats: <\/strong><\/p>\n Hosted JavaScript files:<\/strong><\/p>\n Phishing domains: <\/strong><\/p>\n HTML attachment name format: <\/strong><\/p>\n Hosted JavaScript files:<\/strong><\/p>\nXLS.HTML phishing campaign: Fake payment notices are effective tool for attackers to steal credentials<\/h2>\n
\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig1b-sample-phishing-email-message.png\")
<\/p>\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig2-sample-credentials-dialog-box.png\")
<\/p>\nFrom plaintext to Morse code: A timeline of frequently changing attack segment encoding<\/h2>\n
![\"diagram](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig3b-anatomy-of-phishing-campaign.png\")
<\/p>\n\n
![\"Diagram](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig4c-timeline.png\")
<\/p>\nTransition from plaintext HTML to encoded segments<\/h3>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig5-Attack-segments-in-HTML-code.png\")
<\/p>\n![\"HTML](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig6-embedded-phish-kit-domain.png\")
<\/p>\nHosting of segments on third-party sites and multiple encoding mechanisms<\/h3>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig7-HTML-containing-embedded-JavaScript.png\")
<\/p>\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig8-First-level-of-encoding-using-Base-64.png\")
<\/p>\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig9-second-level-of-encoding-using-ASCII.png\")
<\/p>\nUse of Morse code<\/h3>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig10-Morse-code.png\")
<\/p>\nUse of encoding \u201cwrapper\u201d<\/h3>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig11-Multilayer-encoded-HTML.png\")
<\/p>\nIntroduction of a new information-stealing module<\/h3>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig12-Script-that-collects-IP-address.png\")
<\/p>\nRedirection to Office 365 page<\/h3>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Fig13-User-credentials-posted-to-attacker-C2.png\")
<\/p>\nDetecting dynamically changing email obfuscation techniques through coordinated threat defense<\/h2>\n
Mitigation actions<\/h3>\n
\n
Endpoint detection and response detections<\/h3>\n
\n
Antivirus detections<\/h3>\n
\n
Advanced hunting<\/h3>\n
\/\/\u00a0Searches\u00a0for\u00a0email\u00a0attachments\u00a0with\u00a0a\u00a0specific\u00a0file\u00a0name\u00a0extension\u00a0xls.html\/xslx.html
\nEmailAttachmentInfo
\n|\u00a0where\u00a0FileType\u00a0has\u00a0\"html\"
\n|\u00a0where\u00a0FileName\u00a0endswith_cs\u00a0\"._xslx.hTML\"\u00a0or\u00a0FileName\u00a0endswith_cs\u00a0\"_xls.HtMl\"\u00a0or\u00a0FileName\u00a0endswith_cs\u00a0\"._xls_x.h_T_M_L\"\u00a0or\u00a0FileName\u00a0endswith_cs\u00a0\"_xls.htML\"\u00a0or\u00a0FileName\u00a0endswith_cs\u00a0\"xls.htM\"\u00a0or\u00a0FileName\u00a0endswith_cs\u00a0\"xslx.HTML\"\u00a0or\u00a0FileName\u00a0endswith_cs\u00a0\"xls.HTML\"\u00a0or\u00a0FileName\u00a0endswith_cs\u00a0\"._xsl_x.hTML\"
\n|\u00a0join\u00a0EmailEvents\u00a0on\u00a0$left.NetworkMessageId\u00a0==\u00a0$right.NetworkMessageId
\n|\u00a0where\u00a0EmailDirection\u00a0==\u00a0\"Inbound\"<\/code><\/p>\nAppendix: Indicators<\/h2>\n
July 2020: Payment receipt<\/h3>\n
\n
\n
\n
August 2020: Contract<\/h3>\n
\n
\n
\n
Late August 2020: Ctr<\/h3>\n
\n
\n
\n
November 2020: Organization name<\/h3>\n
\n
\n
\n
January 2021: Organization report<\/h3>\n
\n
\n
\n
February 2021: Organization report\/invoice<\/h3>\n
\n
\n
\n
March 2021: Invoice<\/h3>\n
\n