Old Trick, New Twist

    I've seen quite a few good phishing emails and, generally speaking, the object is to get you to open or click on something.  Often times, clients will forward messages to me and ask me for my opinion before opening and / or clicking.  I got one of those emails and I moved it over to the burner machine for investigation.  Maybe you've seen this particular approach but it's a new one for me as far as seeing it in the wild.  It looks like an attachment and it's from a known sender domain.  

    Right off the bat, it seems suspicious because it got flagged on my end before it even got to me.  

    It's kind of generic in that the Excel spreadsheet is just titled Book1.xlsx and the subject line, while technically correct, isn't exactly how I would have phrased it as a native US English speaker.   Still, it's better than the typical phishing and spam I see.

    For obvious reasons, I had to blur out the information.

    When we mouse over the attachment, it turns out to be an embedded image with a hyperlink:

    Note that the URL is over HTTPS and the domain has the same name but the extension is different.  You're going to have to trust me on the domain since you can't see it.

    The natural inclination of the user is to click the Download button but since it's a link, it just pops the browser.  Unfortunately, the site is down.  I guess someone had already taken it down -- DNS does not resolve for any query.  

    I had previously mentioned that with the proliferation of SSL certificates through Let's Encrypt, we'd see spam and phishing moving to HTTPS and here we are.  A little more attention to detail and this could snare a user.

    © 2020 sevenlayers.com