Skip to main content

Possible email phishing scam

Received email from HR today saying they think this may be a phishing email.

The email below:

Attached to the email:

A preview of the email attachment:

Let’s get a better look at the attachment.  First we will just open the attachment with a text viewer like Sublime Text. Then we will run msg-extrator to extract the .msg information:

remnux@remnux:~$ python3 -m extract_msg ‘/home/remnux/Desktop/Completed Scan Date Doc Copy 0613.2023 101109 (5.94 KB).msg’

The msg-extractor produced a plain text file with the following information:

Let’s look at the link that was extracted from the original .msg, first the raw html that was ran through a html beautifier:

Now let’s look at the page itself via a browser:

That looks legit, so let’s investigate a little more.  The image is a clickable link that opens up to a Office 365 login page with a couple interesting things.  I’m not going to walk through the whole process, just enough so you can check these out yourself.

Also ran the link via urlscan.io

 

Seems like the main site may have been a victum of a WordPress XSS Attack.

Site shows suspended according to urlscan.io, let’s dig a little deeper.

Was able to get more info via a FinalRecon 
FinalRecon found some interesting sub domains.

 

-jT

Next Post

Leave a Reply