A recent phishing campaign used a clever trick to deliver the fraudulent web page that collects Microsoft Office 365 credentials by building it from chunks of HTML code stored locally and remotely.
Hidden building blocks
Victims received an email with just an attachment claiming to be an Excel file (.XLSX) about an investment. In reality, the file is an HTML document with a chunk of URL Encoded text.
In one of them, the researchers found the beginning of the phishing page and code that validates the email and password from the victim.
The victim email address is automatically filled in to give a sense of legitimacy. The phishing scams also check to make sure the password is not blank and will use regular expressions to confirm a valid email address.
In a blog post today, Trustwave notes that the URL receiving the stolen credentials for this campaign is still active.