Phishing Email Alerts
Catch of the Day: Another IONOS Phish
Chef’s Special: Excel XLL Phish
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to email@example.com.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
Another IONOS Phish
Here is another credential stealing phish with a MAIL CLOSURE NOTICE threatening to put my emails “on hold” whatever that means.
The Validate Now button resolves to http://bit.do/fTsj2firstname.lastname@example.org then is redirected to https://email@example.com. Here is the landing page.
When entering my fake password, this page gave me an incorrect password error.
VirusTotal flagged both of the URLs used in this exploit.
Cybercriminals are taking to more advanced functionality than traditional VBA scripting to both execute complex malicious actions via Excel and to obfuscate their true intention – phishing attacks.
If I had a nickel for every time I heard about a malware attack that used macros embedded in an Office document, I’d have quite a few nickels by now. It’s an age- old tactic that, to this day, remains an effective means to execute malicious code.
According to Wolf Security, they’ve seen this technique used in malware we’ve covered here in our blog, including Dridex, IcedID, BazaLoader, Agent Tesla, Raccoon Stealer, Formbook and Bitrat. And in Q4 of last year (the timeframe covered by their latest report), the presence of XLL files increased 588% over Q3.
Emails sent to potential victims include a malicious XLL file as the attachment. Clicking it launches Excel and prompts the user to install and activate the add-in.
- [RELATED NEWS] MSFT Finally (!) blocking some macros by default: