This summer, we reported that hackers were bypassing Office 365 EOP and ATP with an ingeniously simple attack that uses HTML attachments in email to launch phishing pages. Months later, Microsoft Security has yet to resolve the issue. In order to block MetaMorph, your email security needs to be able to scan malicious links embedded in <meta> tags within HTML attachments.

How the attack works

Security engineer and customer support specialist Nick Ponturo demonstrates how hackers configure and execute the MetaMorph attack.


Indicators of Compromise (IOCs)

IP 

37.111.130.203 

IP

81.169.146.213

URL

http://mototamburi. [com] /wp-content/http/Vcenter/Listen/McrSoft/VM/

Email

apache.serv.ssl.appdcxdcpxma1.notifications@post.webmailer.de

Domain

post.webmailer.de

Domain

hotsocks-ev.de

SMTP Server

cg4-p07-ob.smtp.rzone.de

**Avanan clients are protected from the MetaMorph attack.

Immediate Recommendations

  • Be suspicious of any email that contains an HTML or .htm attachment.
  • Admins should consider blocking HTML attachments and treating them just like executables (.exe, .cab). 

For a deep dive on HTML attachment attacks, check out our other blog, “HTML Attachments: The Latest Phishing Trend Targeting Office 365.” 

Try Avanan