SUCURILABS
SUCURILABS
BlogAbout us

Threat Insights 0x2C: A Smuggler's Tale

October 25, 2024

Last Week's Phishing Campaigns

Last week phishing campaigns were quite deceptive, with threat actors using HTML smuggling to harvest user credentials. In this latest wave, attackers disguise HTML files as common document attachments. These files include realistic forms that mimic well-known services, prompting users to enter login information. Here’s a closer look at three phishing emails that use this method to steal credentials.

Adobe Cloud Storage Impersonation

Email 1

  • Rating: ★★☆☆☆
  • Date: 2024-10-25
  • Objective: Credential harvesting
  • Analyst: José Morim

The first phishing email pretends to be a message from a payment provider with an attached “PDF” file labeled as payment details. However, this attachment is actually an HTML file designed to look like an Adobe Cloud Storage service with a login form.

Page 1

When the recipient opens it, they are asked to enter their credentials to “view” the document. Once the user submits the form, their credentials are immediately sent to the attacker via Telegram.

Fake OneDrive Payment Confirmation

Email 2

  • Rating: ★★☆☆☆
  • Date: 2024-10-23
  • Objective: Credential harvesting
  • Analyst: José Morim

The second email takes the form of a payment confirmation, with an attached file labeled as a PDF. This attachment, however, is another HTML file, disguised to resemble a OneDrive login page.

Page 2

Victims are prompted to enter their credentials to access the “payment details.” Instead of confirming any payment, this action sends the victim’s credentials straight to the attacker.

Adobe Acrobat Reader Delivery Notification

Email 3

  • Rating: ★★★☆☆
  • Date: 2024-10-22
  • Objective: Credential harvesting
  • Analyst: José Morim

The third phishing email claims to be a DHL package delivery notification with an attachment that is an HTML file. When opened, this file displays a form styled to look like the Adobe Acrobat Reader interface, prompting the user to log in to view their “package delivery details.”

Page 3

Victims who enter their credentials unwittingly hand over their login information to the attacker.

Indicators Of Compromise

TYPEOBSERVABLE
URLhxxps[://]api[.]telegram[.]org/bot8071487066:AAFQJ6CIeqCGB61Z_qb5CPIRdwnMQjAqkoc/sendMessage
URLhxxps[://]nocodeform[.]io/f/671776eb2b0677ec1d04cc64
URLhxxps[://]stimutompia[.]com/Wyqwimkx/feedback[.]php
FILE3070afe87f864e601879b58860f9ef3d7d28acbe5d3045985c5325a9197eb4df
FILEb419b00888f36655e1d0568a1c24a25954f3bc032d7106511312b277e2c2b735
FILEbcb63feef4cc7516b8c497429b51a882d0fc3eba03499187fab06754cab6698c

Keep up with Threat Insights

Threat Insights is a weekly series where we present you with analysis from samples we collect. Follow us on social media for the latest feed and cybersecurity content. Stay informed and stay safe!

Get more insights like this

  • Follow us on social media to get a weekly update of our latest content, and don't worry—we won't spam your feed ;)
  • Join our private beta and have a sneak peek at how your team will improve their security posture.
Contacts
support@sucurilabs.com
Company
About usBlog
Legal
Privacy PolicyCookie PolicyComplaint Book
Copyright © 2024-2025 SUCURILABS Lda. All rights reserved.