During the year-long investigation carried out by researchers from Microsoft Security Intelligence, the cybercriminals behind the campaign changed obfuscation and encryption mechanisms every 37 days on average to avoid having their operation detected.
To avoid detection further, some of the code segments used in the campaign were not even present in the attachment itself and instead resided in a number of open directories.
Fake payment notices
This XLS.HTML phishing campaign uses social engineering to create emails that mimic the look of financial-related business transactions in the form of fake payment notices.
The campaign’s primary goal is credential harvesting and while it originally harvested usernames and passwords, in its more recent iteration it has also started collecting other information such as IP addresses and locations which the cybercriminals behind it use as the initial entry point for later infiltration attempts.
Although XLS is used in the attachment file to prompt users to expect an Excel file, when the attachment is opened it launches a browser window instead that takes potential victims to a fake Microsoft Office 365 login page. A dialog on the page prompts users to login again as their access to the Excel document has supposedly timed out. However, if a user does enter their password, they will then receive a fake note saying that the submitted password is incorrect while an attacker-controlled phishing kit running in the background harvests their credentials.
What sets this campaign apart is the fact that cybercriminals behind it went to great lengths to encode the HTML file in such a way to bypass security controls. As always, users should avoid opening emails from unknown senders especially when they require them to login into an online service to access a file or request that they enable macros.