Update — HTML Attachment Attack on Office 365

Written by Nick Ponturo | December 13, 2019

This summer, we reported that hackers were bypassing Office 365 EOP and ATP with an ingeniously simple attack that uses HTML attachments in email to launch phishing pages. Months later, Microsoft Security has yet to resolve the issue. In order to block MetaMorph, your email security needs to be able to scan malicious links embedded in <meta> tags within HTML attachments.

How the attack works

Security engineer and customer support specialist Nick Ponturo demonstrates how hackers configure and execute the MetaMorph attack.

Indicators of Compromise (IOCs)

IP	37.111.130.203
IP	81.169.146.213
URL	http://mototamburi. [com] /wp-content/http/Vcenter/Listen/McrSoft/VM/
Email	apache.serv.ssl.appdcxdcpxma1.notifications@post.webmailer.de
Domain	post.webmailer.de
Domain	hotsocks-ev.de
SMTP Server	cg4-p07-ob.smtp.rzone.de

**Avanan clients are protected from the MetaMorph attack.

Immediate Recommendations

Be suspicious of any email that contains an HTML or .htm attachment.
Admins should consider blocking HTML attachments and treating them just like executables (.exe, .cab).

For a deep dive on HTML attachment attacks, check out our other blog, “HTML Attachments: The Latest Phishing Trend Targeting Office 365.”

View full post