Autopsy of a phishing attempt

In which I pretend to know stuff about security and email. And whine about Microsoft (although I didn’t mean to when I started to write this post).

Quick, let’s retrieve our messages before Something Bad happens.

The bait

I can barely read this email. The syncing errors must be really bad (this is how the email is displayed in the Outlook client)
This is a much more credible phishing email. Still some grammatical errors, though (this is how the message appears in the Outlook web app)

The link

The link is definitely dodgy, but points to an MS-owned domain.

The hook

This looks almost like the real thing! (click here to compare — totally not a phishing attempt, I promise)
The dodgy page is secured by a genuine Microsoft certificate. Hurray for wildcards (and Azure static hosting)

4K 4VR

Zoom on the fake login dialog. Notice the “Password” placeholder and the email address are sharper than the rest of the text
With regular HD, no discrepancies between the different text elements.

The code source

Source code of the page (inline CSS removed for brevity)

The payload

This is some tight crypto code. Don’t roll your own indeed
At last, the payload of the fake login page

A closer look at the email

The body of the phishing email
The itinerary of the email from sender to victim
X-Bluewin-Spam-Score: 0.00
[...]
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(5600074)(711020)(4605076)(4614076)(1401234)(71702078);SRVR:DB6PR0701MB2151;
[...]
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
SPF raises a soft fail, which doesn’t prevent O365 from serving the email.

Final thoughts

The good

The bad

The ugly

Post-scriptum