Another day, another invoice scam. This time the fake invoice is actually a malicious HTML file. Despite this being a very basic credentials harvesting attack it was missed by Proofpoint.
Here's what it looks like:
The attachment is an HTML file that is masquerading as an .xlsx document. When a user downloads and launches the file, they will be presented with a login page with the victim’s email address already filled in.
If the victim continues and enters their password (or any password), they will be taken to this landing page with a German domain.
This encoding prevented the SEGs filters from correctly decoding the gibberish text into the malicious script.
Once decoded, the script launched a payload from this known malicious website:
That website has already been detected by a few security engines yet SEGs are still allowing these malicious files to pass through their filters.