Threat Level: green Handler on Duty: Lorna Hutcheson

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

XPS Attachment Used for Phishing

Published: 2018-06-22
Last Updated: 2018-06-22 07:03:31 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

While Phishing is never a good thing, it is interesting to see something different than your normal phishing attempt.  We received an email today from Earl Ruberts about an email their IT department received from a purchasing department of another company with which they have no relationship.  The email contained an attachment that had a .xps extension.  They conducted scans of the attachment that came back clean and the email did not appear to be spoofed.  They contacted the company to ask them if they sent it and found out they were actively cleaning up an account compromise.  Since the email and attachment was suspicious, Earl asked us to take a look.  Here is the body of the email:

Using a VM, I took a quick look at the attachment in notepad and it showed a structure that looked like an XPS file.  An XPS extension stands for "XML Paper Specification" and if like Microsoft's version of a PDF using XML.  So, I used Microsoft's built-in XPS viewer to open the file.  This was where the phishing came into play.  Here is what you see when you render the file:

The phishing folks use the ploy of a "Secure attached file" in the XPS file since this is supposed to be a copy of a check and "Payment Advice" in order to convince the victim they are being careful with their check.  Also, the SharePoint references would be convincing to people if asking them to retrieve files, since many businesses use SharePoint internally for this purpose.  The average user would probably click on this.  The "OPEN FILE" portion contains is a hyperlink to hxxps://areticaempresarial[.]com[.]br/microsoftsharepoint/share.php

This again is continuing the ploy with use of "microsoftsharepoint" in the URLto help lure the victim into clicking.  The URL is visible when you hover over it.  If the user clicks the link, they are presented with the following screen:

The user would then be asked for their password from a site with a nice Microsoft logo (It is SharePoint, right?) and if they followed the directions in the attachment, they would provide their "professional" email and password credentials.

It seems that we have a compromised account being used to send phishing emails in order to phish more account credentials from other victims.  This could really reek havoc on partners of a company with a compromised account(s).  I would venture to guess that is not all that the accounts are being used for or will be used for in the future.  Also, an XPS isn't a file type that you see often today and probably isn't on the prohibited file extension list of most email gateways.  It's a file extension that if you aren't actively using it internally and you don't expect to get that type of file in from external, I'd recommend blocking it on your email gateway.  This is also a great example of how important it is to train your employees to be suspicious of unexpected emails and to not just click on everything!  


Lorna Hutcheson
ISC Handler

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Are Your Hunting Rules Still Working?
Jun 21st 2018
21 hours ago by Xme (1 comment)

Secure Phishing: Netflix Phishing Goes TLS
Jun 20th 2018
1 day ago by Johannes (0 comments)

PowerShell: ScriptBlock Logging... Or Not?
Jun 19th 2018
3 days ago by Xme (1 comment)

Malicious JavaScript Targeting Mobile Browsers
Jun 18th 2018
4 days ago by Xme (0 comments)

Encrypted Office Documents
Jun 17th 2018
4 days ago by DidierStevens (0 comments)

Anomaly Detection & Threat Hunting with Anomalize
Jun 16th 2018
5 days ago by Russ McRee (0 comments)

SMTP Strangeness - Possible C2
Jun 15th 2018
1 week ago by Lorna (5 comments)

View All Diaries →

Latest Discussions

Simple SMTP/network routing questions
created Jun 14th 2018
1 week ago by Anonymous (0 replies)

HTTP Headers Illicit Characters
created Jun 13th 2018
1 week ago by David (2 replies)

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
1 month ago by Remco (0 replies)

MinerPool Threat Feed info
created Apr 4th 2018
2 months ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/
created Mar 29th 2018
2 months ago by nekton89 (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
11 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
10 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
6 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
10 months ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
9 months ago by Renato (0 comments)