Alex wrote:
Hi,
Would anyone like to help me block this office phish? It includes an
HTML file that presents an O365 login page:
https://pastebin.com/JMSrY6KU
More javascript in an HTML file.
Yes, there's something going on.
I had some trouble yesterday, and found a message sent from a valid
...protection.outlook.com server, with an Octet-Stream, Base64
attachment entitled "message.html".
SeaMonkey did render the HTML in the message window, but (Correctly) did
not execute any JavaScript.
Encrypted message
From
address@munged
To
address@munged
To view the message, sign in with a Microsoft account, your work or
school account, or use a one-time passcode.
Message encryption by Microsoft Office 365
When clicking on the html message, all the JavaScript seems to do is an
"onload" JavaScript "Loading..." message that then switches to give the
user the option to log on with their Email or get a one-time passcode.
The link takes you to a valid https://login.live.com login.
I never would've caught this except it hit an old header rule I use for
certain Hotmail Porn detection.
Content-Type: multipart/mixed;
boundary="_c23d8b80-2b40-49d4-8897-08b0026dddfb_"
I called my customer to see if they opened it as it was in their Junk
mailbox. They didn't recognize the sender so no, they didn't.
Interesting, indeed.
-- Jared Hall
