Office 365 phishing campaign uses publicly hosted JavaScript code

A new phishing campaign targeting Office 365 users cleverly tries to bypass email security protections by combining chunks of HTML code delivered via publicly hosted JavaScript code.

Office 365 phishing JavaScript

The phishing email and page

The subject of the phishing email says “price revision” and it contains no body – just an attachment (hercus-Investment 547183-xlsx.Html) that, at first glance, looks like an Excel document, but is actually an HTML document that contains encoded text pointing to two URLs located yourjavascript.com, a free service for hosting JavaScript, and a separate chunk of HTML code.

The first JavaScript file contains HTML code that opens the HTML tag and validates the email and password input of the victim, the second holds the body part of the HTML code and code that that triggers a popup message box.

These HTML code chunks are combined with a fifth one that was present in the HTML attachment, and open a browser pointed to the phishing page:

Office 365 phishing JavaScript

The code will contain the target’s email address and will populate the fake sign-in box to make the phishing page seem legitimate. The phishing page also validates email address format and password length, Trustwave SpiderLabs researcher Homer Pacag explained.

Once the victim submits the login credentials, they are effectively compromised, and the victim is shown a web page saying that they account or password info is incorrect and urges them to try to log in again.

Spotting phishing pages

Needless to say, you should always be careful when evaluating unsolicited emails and should not indiscriminately download and open attachments (or links) found in them.

You should also always look at the URL of any login page they are faced with and check whether it’s the same one they usually see when accessing an online service.

Aside from remembering passwords, password managers are also good at spotting phishing pages and will refuse to seamlessly enter login credentials that are supposedly required.

Don't miss