Another day, another invoice scam. This time the fake invoice is actually a malicious HTML file. Despite this being a very basic credentials harvesting attack  it was missed by Proofpoint. 

Here's what it looks like:



The attachment is an HTML file that is masquerading as an .xlsx document. When a user downloads and launches the file, they will be presented with a login page with the victim’s email address already filled in.



If the victim continues and enters their password (or any password), they will be taken to this landing page with a German domain.


This malicious file bypassed this SEG’s detection in one basic way: The Javascript that launched the malicious login page was encoded using Percent Encoding.

This encoding prevented the SEGs filters from correctly decoding the gibberish text into the malicious script.

Once decoded, the script launched a payload from this known malicious website:


That website has already been detected by a few security engines yet SEGs are still allowing these malicious files to pass through their filters.


Avanan marked this email as malicious with the use of our sophisticated sender reputation and relationship graph analysis with an extra static layer of encoding detection. In other words, this sender is coming from a Russian domain with no prior relationship to this organization and is engaging in the highly suspicious behavior of sending an attachment that has the javascript function “unescape()”. Avanan does not need to spend the resources decoding every string in a file, the mere presence of encoding coupled with the other factors is enough for the AI to determine this is a malicious email and should be quarantined immediately. 

Subscribe to Our Attack Briefs for More Research