Email has always been the subject of different kinds of attacks from threat actors. Phishing – and its evil siblings (spear phishing and whaling) – being the most elaborate. Usually, the attackers use social engineering and smartly crafted emails to prompt users to click on a link or download a file, resulting in either data exfiltration or a computer becoming a part of zombie botnet which attacks other computers and networks on the Internet.

Security vendors have different anti-malware and anti-phishing tools that protect businesses from phishing attacks. Many organizations also run regular anti-phishing training for their employees, as part of their security policy, to train end-users to recognize phishing messages and react accordingly.

The Security Team at Microsoft recently published this article about a very subtle XLS.HTML phishing campaign.

This campaign uses social engineering by sending crafty emails which mimic invoice or payment transactions from vendors. It contains HTML file attachment with the link to a phishing kit. File extension contains different variations of xls.HTML. When a user opens an extension a blurred Excel window is opened with the prompt to re-enter the password on top. When a user enters his/her password, a note is displayed that the password is incorrect. Meanwhile the phishing kit in the background harvests end-user passwords. In May 2021, the campaign also introduced a module that harvests users’ IP addresses and country data. This information along with the credentials can later be used in infiltration attempts.

XLS.HTML is a targeted phishing campaign (spear phishing) which constantly evolves to bypass security controls for emails by using multiple layer obfuscation and encryption mechanisms for HTML and Java Script files.

HTML attachment sent to the campaign victims consists of 4 segments:

1. Email address of the victim
2. Link to the logo of the victim’s organization. If not available, company logo is replaced by the Office 365 logo.
3. A script that loads an image of a blurred document and prompts the victim to sign-in, due to a supposedly timed-out sign-in.
4. A script that harvests the victim’s password by prompting a user to enter it and submitting it to a remote phishing kit. Once password is collected it displays a fake page with an error message to the victim.

Attackers constantly update its components. The original campaign in July 2020 was using a plaintext HTML with the links to the above-mentioned segments. In August 2020, links to the script segments (3 and 4) were replaced with links to Java script that was hosted on a free Java script hosting web site. Further iterations of the campaign started introducing encryption and encoding of each segment using Escape, Base64, ASCII and even Morse code.

To protect from a XLS.HTML phishing campaign (and similar campaigns), organizations need to develop a strategic approach. We recommend our clients start with protecting their Office 365 email by implementing Microsoft Defender for Office 365. Organizations that implemented and use Defender for Office 365 have the below features at their disposal:

• Anti-phishing protection helps to detect attempts to impersonate an organization’s users and internal or custom domains by using machine learning models and advanced impersonation-detection algorithms.
• Safe Attachments policies provide zero-day protection to safeguard Exchange Online by checking attachments for malicious content. This feature is extended to other Office 365 workloads as Safe Attachments for SharePoint, OneDrive and Microsoft Teams to protect user collaboration and file sharing by identifying and blocking malicious files.
• Safe Links is an ongoing protection across Office 365 workloads which verifies URLs inside emails and files when users click them.
• Zero-Hour Auto Purge (ZAP) provides seamless retroactive detection and neutralization of malicious phishing, spam, or malware messages (both read and unread) that have already been delivered to Exchange Online mailboxes.
• Automated Investigation and Response (AIR) automatically reviews, prioritizes, and responds to alerts on well-known threats and provides recommendations on resolution. A security operations team can approve or reject the recommendations, freeing them to work on higher-priority tasks.
• Threat Trackers provide the security operations team with information on security threats that may impact an organization. This includes Noteworthy Trackers – information about new threats that can help identify whether a tenant is at risk and implement recommended remediation as necessary.
• Threat Explorer (a.k.a. Real-time detections) provides information about potential threats that a tenant is subjected to - covers threats for both email and content.
• Attack Simulator provides the ability to check and measure user awareness by running simulating attacks like credential harvest, malware attachment, link to malware, etc.
• Campaign Views helps to identify the scope, categorize, investigate and respond to phishing attacks.

Microsoft Defender for Office 365 is available as Plan 1 and Plan 2. We recommend purchasing Plan Option 2 which includes all the above-mentioned features and is available to our clients who have purchased one of these licenses: Windows 10 Enterprise E5, Microsoft 365 E5 Security, Microsoft 365 E5.

In addition to implementing Microsoft Defender for Office 365, we recommend that our clients include the following security-related best practices to their anti-phishing strategy:

1. Protect identity by deploying Multi-Factor Authentication (MFA) for end-users and privileged users. Additionally, we recommend enabling identity protection to protect organization from risks like leaked passwords or malicious IP addresses.
2. Use separate identities for privileged users. IT and Security team members should be using separate user accounts for productivity and systems administration work. This will prevent malicious actors from having “keys from the kingdom,” in case they harvest credentials through phishing.
3. Protect endpoints by deploying Microsoft Defender Antivirus and onboarding them to Defender for Endpoint. Defender Antivirus client can detect malicious attachment components used in the XLS.HTML campaign. Microsoft 365 Security Center can indicate treat activity in an organization’s network.
4. Review and disable Office 365 anti-spam policies and mail flow rules allowing messages from senders, domains or IP addresses to bypass anti-spam checks. Instead, use public DNS (MX, SPF, DKIM and DMARC) to validate senders and anti-malware and anti-spam engines of Defender for Office 365 to check content of messages
5. Work with your user community. No matter how well-written security policies are or how advanced the implementation of security controls, humans are always the weakest link in the information security chain. Educate your users by providing them with training on phishing. Use attack simulator to train them on how to react on phishing messages in real life.

If you need any further guidance, Avanade can help. Recognized as the Microsoft Security 20/20 winner for Zero Trust champion-SI, we can help you implement and manage your Microsoft security solutions.

Learn more about how Avanade is enabling clients to build resilience through a Zero Trust security strategy.