{"id":18247,"date":"2021-04-21T02:32:50","date_gmt":"2021-04-20T22:32:50","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/office-phishing-html-attachment\/18247\/"},"modified":"2021-04-21T02:33:09","modified_gmt":"2021-04-20T22:33:09","slug":"office-phishing-html-attachment","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/office-phishing-html-attachment\/18247\/","title":{"rendered":"Phishing tricks with Microsoft Office"},"content":{"rendered":"

With access to corporate e-mail, cybercriminals can perform business e-mail compromise<\/a>\u2013type attacks. That\u2019s why we see so many phishing letters directing corporate users to sign in to websites fashioned like the MS Office login page. And that<\/em> means it\u2019s very important to know what to pay attention to if a link redirects to a page like that.<\/p>\n

Cybercriminals stealing credentials for Microsoft Office accounts is nothing new<\/a>. However, the methods attackers use keep getting more advanced. Today, we\u2019re using a real-world case \u2014 a letter we actually received \u2014 to demonstrate best practices and to outline some of the new tricks.<\/p>\n

New phishing trick: HTML attachment<\/h2>\n

A phishing letter normally contains a hyperlink to a fake website. As we say regularly, hyperlinks need careful examination both for general appearance and for the actual Web addresses they lead to (hovering over the URL reveals the target address in most mail clients and Web interfaces). Sure enough, once enough people had absorbed that simple precaution, phishers began replacing links with attached HTML files, the sole purpose of which is to automate redirection.<\/p>\n

Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect, the file has just one line of code (javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window.<\/p>\n

What to look for in a phishing letter<\/h2>\n

New tactics aside, phishing is phishing, so begin with the letter itself. Here is the actual letter we received. In this case, it\u2019s a fake incoming voice message notification:<\/p>\n

\"A<\/a><\/p>\n

Before clicking on the attachment, we have a few questions to contemplate:<\/p>\n

    \n
  1. Do you know the sender? Is it likely the sender would leave you a voice message at work?<\/li>\n
  2. Is it common practice at your company to send voice messages by e-mail? Not that it is used much nowadays, but Microsoft 365 hasn\u2019t supported voice mail since January 2020.<\/li>\n
  3. Do you have a clear idea what app sent the notification? MS Recorder is not part of the Office package \u2014 and anyway, Microsofts default sound recording app, which could in theory send voice messages, is called Voice Recorder, not MS Recorder.<\/li>\n
  4. Does the attachment look like an audio file? Voice Recorder can share voice recordings, but it sends them as .m3a files. Even if the recording comes from a tool unknown to you and is itself stored on a server, there should be a link to it, not an attachment.<\/li>\n<\/ol>\n

    In summary: We have a letter from an unknown sender delivering an alleged voice message (a feature we never use) recorded using an unknown program, sent in as an attached Web page. Worth trying to open? Certainly not.<\/p>\n

    How to recognize a phishing page<\/h2>\n

    Suppose you did click on that attachment and landed on a phishing page. How can you tell it\u2019s not a legitimate site?<\/p>\n

    \"A<\/a><\/p>\n

    Here is what to look at:<\/p>\n

      \n
    1. Does the address bar content look like a Microsoft address?<\/li>\n
    2. Do the links \u201cCan\u2019t access your account?\u201d and \u201cSign in with a security key\u201d direct you where they should? Even on a phishing page, they may well lead to real Microsoft pages, although in our case, they were inactive, a clear sign of fraud.<\/li>\n
    3. Does the window look right? Microsoft normally has no problems with details such as background image scale. Glitches can happen to anyone, of course, but anomalies should raise a flag.<\/li>\n<\/ol>\n

      In any case, if you have any doubt, look up https:\/\/login.microsoftonline.com\/<\/a> to see what Microsoft\u2019s actual sign-in page looks like.<\/p>\n

      How to avoid getting hooked<\/h2>\n

      To avoid giving up your Office account passwords to unknown attackers:<\/p>\n