Threat Research

M365 Phishing Tactics: Phishing Email Analysis – eevilcorp

Securonix

Vade’s Threat Intelligence and Response Center (TIRC) detected a new Microsoft 365 phishing campaign delivered via a malicious HTML attachment that loads a fake authentication form hosted on glitch.me. The operation uses base64-encoded payloads, JavaScript in the HTML, and external infrastructure to harvest credentials and mislead users. #eevilcorp #Hawkeye

Keypoints

  • The Threat Intelligence and Response Center (TIRC) detected a new Microsoft 365 phishing email with a malicious HTML attachment.
  • The HTML file contains JavaScript designed to collect the victim’s email address and modify the page content via a callback.
  • Decoded base64 strings reveal a malicious domain (eevilcorp.online) used to host phishing resources and to load the malicious form.
  • Phishing pages are hosted on glitch.me, a platform used by unknown actors to host HTML pages for credential harvesting.
  • The campaign references an authentication page linked to Hawkeye/ HawkEye concepts, suggesting credential harvesting through a fake Microsoft 365 form.
  • Evidence points to additional malware activity, including edges like edge_driver.js and Paystub-382023.html, which may indicate further payload distribution from the HTML page.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – An email delivered a malicious HTML attachment to harvest data. Quote: “The malicious HTML file contained JavaScript code designed to collect the email address of the victim and update the page with the content of the variable data used in a callback function.”
  • [T1059.007] JavaScript – The HTML relies on in-page JavaScript to execute data collection and content manipulation. Quote: “The malicious HTML file contained JavaScript code designed to collect the email address of the victim and update the page with the content of the variable data used in a callback function.”
  • [T1566.003] Phishing: Credential Harvesting – The attackers use a fake authentication form to capture credentials. Quote: “The output from eevilcorp[.]online/activity/open was a JSON object containing the HTML/JavaScript source code to generate the malicious Microsoft 365 authentication form.”
  • [T1583] Acquire Infrastructure – Unknown phishers leveraged glitch.me to host malicious HTML pages. Quote: “Unknown phishers have leveraged the platform glitch.me to host malicious HTML pages.”
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscation techniques in the JavaScript payloadraise suspicion. Quote: “Even if the file edge_driver.js is not flagged as malicious on VirusTotal, we observed classical functions used to obfuscate payloads in JavaScript rendering the file suspicious at least.”
  • [T1132] Data Encoding – Base64-encoded strings are decoded to reveal domains and URLs used in the attack. Quote: “We decoded the base64 encoded string: Input: aHR0cHM6Ly9lZXZpbGNvcnAub25saW5lL2dlbmVyYXRvcj90YWJsZT0xMCZtZW1lPUYtMDA wNjAmcGVlcj15b3VuZ19tdWx0aXBsZQ==

Indicators of Compromise

  • [Domain] Phishing-related domains – periodic-checker[.]glitch[.]me, eevilcorp[.]online, ultimotempore[.]online, and 7 other domains
  • [URLs] Phishing page URLs – hxxps[://]ultimotempore[.]online/services/gbm_office[.]php, hxxps[://]ultimotempore[.]online/services/ryan_office[.]php
  • [File name] Potential dropper/linkage files – Paystub-382023.html, edge_driver.js

Read more: https://www.vadesecure.com/en/blog/m365-phishing-email-analysis-eevilcorp