Credential Phishing – Themes and Tactics

  • Krishnan Subramanian, N/A at Menlo Labs

  • 31.03.2021 06:15 pm
  • phishing attacks

Executive Summary

In the last month, the Menlo Labs team has been observing a steady rise in credential phishing attacks. This method of attack is quite popular, where attackers make use of fake login pages or forms to steal credentials of commonly used services in a corporate environment. Apart from commonly targeted cloud services like Office 365, Amazon Prime, Adobe etc., we are also observing credential phishing attacks impersonating commonly used software services from other countries like South Korea and cryptocurrency wallets. 


Key takeaways:

-       Present the prominent credential phishing themes being observed in the last month

-       Tactics that are being used by attackers to serve credential phishing pages in an attempt to bypass existing detection solutions


O365 continues to be the top phishing target

In the last month, it may not be surprising to learn that the bulk of the credential phishing attacks were serving fake Outlook and Office365 login pages. This is primarily due to the ubiquity of Office365 service across corporate environments. 


The chart below shows the distribution of Office 365 credential phishing campaign target industries we observed in the last month. Specifically, we are observing airline duty free shop login credentials targeted, which explains the significant contribution of the travel industry in the pie-chart below. 


Phishing On Cloud Services

There is an uptick on the number of phishing pages being hosted on popular cloud services. While services like Azure, One Drive, Box, Firebase, Box, and Dropbox continue to be leveraged to host phishing pages, one interesting addition to this list we came across last month was a phishing page hosted on the popular note taking app Evernote: 


Phishing Tactics

Attackers are always trying to come up with tactics to bypass detection solutions. Below, we describe a few common tactics that are actively being used to serve phishing content. 


Usage of Data URLs/Encoding to mask content

In a specific phishing HTML page content, we observed usage of Data-URLs to:

      Hide the actual javascript code that posts credentials to a remote URL. 

      Encode and embed all custom CSS/Images on the page itself


The advantages of using this mechanism is as follows:


      Allows the entire phishing page content to be rendered on a browser in a single load within the client. 

      Adding the “Content-Encoding: gzip” header allows the server to send the compressed response. 

      There would be no additional resource requests (Javascript/CSS/Images etc). 

      This is an attempt to evade solutions that rely on the “Content-Type” header to determine resources like Javascript/CSS. 



Dynamic content Generation

One interesting tactic that was observed with an O365 phishing campaign: this campaign seems to be appending the user’s email address on the URL,  the phishing page path is dynamically generated, and the user’s email address is automatically filled as seen below.


Given the path for the phishing landing page is dynamically generated, the pathname is fairly  long with random characters. As seen, there are two parts separated by the slash(/) character. The first part is a randomly generated folder name, followed by a randomly generated .php file. 



The advantages of using this mechanism is as follows:

      Individual files in a Phishing Kit are usually bundled together as a ZIP archive and hosted on the Phishing Domain server. 

      Phishing Kit signatures look for file patterns inside the ZIP archive (for e.g. submit2.php). 

      This dynamic generation of .php files is a mechanism used by the Phishing Kit to evade signatures that rely on filename/filepath patterns.


Downloading local files as a decoy for serving the phishing page

Another commonly used tactic seen was to use local HTML/PDF decoy files to load phishing content. In a specific example targeting Daum, a popular web service provider in South Korea, visiting the phishing landing page first downloads a decoy HTML file to the endpoint. The email is appended to the URL as a parameter, and upon visiting, immediately triggers a download to the endpoint. Once the local HTML file is opened, the actual phishing form is loaded with the filled username. Having a decoy file like this to load the phishing form is an attempt to evade detection solutions that might use machine learning or pattern matching on the HTTP response content.

The advantages of using this mechanism is as follows:

      Decoy files allow loading a content on the client machine, without fetching remote content from a server.

      Content Inspection mechanisms will be bypassed since content is loaded locally.

      Any phishing solution relying on logo detection mechanisms will also be bypassed. 


Dynamic loading of brand logos:


Phishing pages often make use of APIs like ClearBit to dynamically load company specific logos instead of generic Microsoft/Outlook logos. In this case, the phishing page tries to search for a company specific logo using the Clear Bit Logo API. If not found, regular Microsoft/Office logos are used. 


The advantages of using this mechanism is as follows:


      Allows attackers to dynamically impersonate brand logos without making an API call to the original site (For example:



Cybercriminals are trying to add complexity to carry out phishing campaigns to steal sensitive information. With free services like Let’s Encrypt, it is becoming increasingly easier for attackers to host phishing sites behind SSL with a relatively short TTL for maximum hit rate. Increasing  cybersecurity awareness through training and education initiatives is often helpful in reducing the impact of credential phishing attacks, but corporate users should be cautious when a site presents a form that asks for personal/sensitive information. 


Other Blogs