| Category | Details |
|---|---|
| Threat Actors | Unknown; potentially a new Phishing-as-a-Service framework. |
| Campaign Overview | Mass phishing campaign combining HTML smuggling, Iframe injection, and session theft via a transparent proxy. |
| Target Regions/Victims | Likely targeting Outlook users; specific regions not detailed. |
| Methodology | Phishing emails with HTML file payloads that render an iframe of the Outlook login portal proxied through attacker-controlled infrastructure, enabling credential harvesting and MFA bypass. |
| Product Targeted | Microsoft Outlook and OWA (Outlook Web Access). |
| Malware Reference | HTML smuggling payload file (hash: 18470571777CA2628747C4F39C8DA39CA81D1686820B3927160560455A603E49). |
| Tools Used | Custom JavaScript within HTML files; potential use of new Phishing-as-a-Service framework (not confirmed). |
| Vulnerabilities Exploited | MFA bypass using Adversary-in-the-Middle (AitM) techniques via iframe-proxied authentication portals. |
| TTPs | HTML smuggling, iframe injection, Adversary-in-the-Middle attack, session theft, bypassing MFA, stealing web session cookies, using dynamic document.write() calls to inject malicious code. |
| Attribution | Unattributed; Huntress suspects a novel technique or tool. |
| Recommendations | Avoid opening unexpected HTML files; verify URLs in login portals; escalate suspicious activity to security teams; leverage advanced telemetry for detection; report suspected incidents to Huntress or relevant security entities. |
| Source | Huntress Blog |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply