Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Mon, Feb 27th):Cloudflare Data Leak; Dynamite Phishing

Latest Diaries

Dynamite Phishing

Published: 2017-02-27
Last Updated: 2017-02-27 00:52:21 UTC
by Tom Webb (Version: 1)
0 comment(s)

Last week I ran across a very successful phishing campaign, what’s odd in most ways it was nothing special. The attacker was using this more like a worm, where stolen credentials would be used within the hour to start sending out a mass amount of more phishes. I've decided to call this "Dynamite Phishing" because there is nothing quiet about this at all. It seems about 40% of the credentials were used for more mailings, and the other account's credentials had not been used.

The initial phishes came in from a K12 domain from several affected individuals. The email subject was  “You have an Incoming Document Share With You Via Google Docs”. The contents of the email were base64 encoded, while it appears to be common Content-Transfer-Encoding, it's not something I typically run into especially when looking at Phishes.

Here is what the Document rendered as.


Screen Shot 2017-02-22 at 12.49.22 PM.png


The link in the document went to "hxxp://" which went to hxxp://

The landing page was setup as a generic Outlook Web Access 2013 login page.

Some of the headers had the below client listed.  It appears the EM_Client is a pretty popular email client, but it maybe something you can block on depending on your environment.

user-agent: eM_Client/7.0.27943.0

While most people have good protections from Emails coming from external entities into their email environment, many don’t push the same protections intra-domain.  The volume of email sent from the Phished accounts to other Internal accounts is what made this so successful.


Lessons Learned:

  • Two-factor Authentication to Email services.
  • Don’t trust internal-to-internal email
  • Rate limit or block emails with X-number of recipients inbound and outbount




Tom Webb


Keywords: Phish
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

CRA Maldoc Analysis
Feb 26th 2017
6 hours ago by DidierStevens (0 comments)

It is Tax Season - Watch out for Suspicious Attachment
Feb 26th 2017
1 day ago by Guy (0 comments)

Unpatched Microsoft Edge and IE Bug
Feb 25th 2017
2 days ago by Guy (0 comments)

Cloudflare data leak...what does it mean to me?
Feb 24th 2017
2 days ago by Rick (3 comments)

Practical collision attack against SHA-1
Feb 23rd 2017
3 days ago by Rick (4 comments)

Quick and dirty generic listener
Feb 22nd 2017
4 days ago by Jim (0 comments)

Microsoft Patch Tuesday, or is that "Patch Next Tuesday"? - Flash Player RCE patched today
Feb 21st 2017
5 days ago by Rob VandenBrink (1 comment)

2 Apple Updates Today as Well - GarageBand and Logic Pro X
Feb 21st 2017
5 days ago by Rob VandenBrink (1 comment)

Investigating Off-Premise Wireless Behaviour (or, "I Know What You Connected To")
Feb 21st 2017
5 days ago by Rob VandenBrink (6 comments)

Hardening Postfix Against FTP Relay Attacks
Feb 20th 2017
6 days ago by Johannes (2 comments)

View All Diaries →

Latest Discussions

The format of BGP messages with routeviews
created Feb 22nd 2017
4 days ago by samara (0 replies)

Platform Markings on Headlines
created Feb 9th 2017
2 weeks ago by Anonymous (0 replies)

Automation Software, Consultant or Both?
created Jan 25th 2017
1 month ago by Anonymous (1 reply)

Importance of File Integrity Monitoring software
created Jan 18th 2017
1 month ago by Promisec (0 replies)

New Incident Response/Forensics tool : srum-dump.exe
created Jan 12th 2017
1 month ago by Mark (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
Oct 21st 2016
4 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
1 week ago by Johannes (7 comments)

Critical Vulnerability in Cisco WebEx Chrome Plugin
Jan 24th 2017
1 month ago by Johannes (10 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
2 months ago by Johannes (21 comments)

How was your stay at the Hotel La Playa?
Feb 18th 2017
1 week ago by Xme (7 comments)