Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Dynamite Phishing SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dynamite Phishing

Last week I ran across a very successful phishing campaign, what’s odd in most ways it was nothing special. The attacker was using this more like a worm, where stolen credentials would be used within the hour to start sending out a mass amount of more phishes. I've decided to call this "Dynamite Phishing" because there is nothing quiet about this at all. It seems about 40% of the credentials were used for more mailings, and the other account's credentials had not been used.

The initial phishes came in from a K12 domain from several affected individuals. The email subject was  “You have an Incoming Document Share With You Via Google Docs”. The contents of the email were base64 encoded, while it appears to be common Content-Transfer-Encoding, it's not something I typically run into especially when looking at Phishes.

Here is what the Document rendered as.


Screen Shot 2017-02-22 at 12.49.22 PM.png


The link in the document went to "hxxp://" which went to hxxp://

The landing page was setup as a generic Outlook Web Access 2013 login page.

Some of the headers had the below client listed.  It appears the EM_Client is a pretty popular email client, but it maybe something you can block on depending on your environment.

user-agent: eM_Client/7.0.27943.0

While most people have good protections from Emails coming from external entities into their email environment, many don’t push the same protections intra-domain.  The volume of email sent from the Phished accounts to other Internal accounts is what made this so successful.


Lessons Learned:

  • Two-factor Authentication to Email services.
  • Don’t trust internal-to-internal email
  • Rate limit or block emails with X-number of recipients inbound and outbount




Tom Webb



59 Posts
ISC Handler
Feb 27th 2017

Sign Up for Free or Log In to start participating in the conversation!