Several individuals affiliated with a pro-defense stance for Richard Allen have received suspicious phishing emails containing malicious attachments. A technical analysis was performed in collaboration with an IT security consultant to assess these emails and their attachments. The originator and recipients of these phishing emails will not be named here.

Details of the Attack

Targets:

  • Quasi-public figures associated with the same cause.

Attack Vector:

  • Phishing Email: Delivered via emails sent from an Outlook desktop application.
  • Payload: Password-protected PDF with a malicious link disguised as a DocuSign document.


Technical Analysis Performed

1. MAPI Header Analysis:

  • Confirmed the emails originated from a desktop Outlook application using the originator’s credentials. 
  • Key Header:
    Received: from DM4PR17MB5995.namprd17.prod.outlook.com ([fe80::3f30:41e1:e3d8:61ae]) 
    by DM4PR17MB5995.namprd17.prod.outlook.com ([fe80::3f30:41e1:e3d8:61ae%4]) 
    with mapi id 15.20.8158.023.

2. Payload Examination:

  • PDF Creation:
    • Created using ilovepdf.com from an HTML file generated in Microsoft Word 16.
    • File Metadata:
      • Source File: 88debc649ad27b9eab55458f76133618.html
      • PDF Creation Time: 18 November at 12:32 EST.
      • Author Name: "ft".

3. Link Redirection:

  • DocSend Usage:
    • Redirects victims to capture IP addresses and browser metadata before leading to the malicious webpage.

4. Fake Login Page:

  • Final Destination: fitnessmansion.com (appears as a Microsoft login page; DO NOT VISIT).
  • Code Review:
    • Standard phishing page HTML and JavaScript designed to mimic a Microsoft login.
    • Misconfigured: Credentials are sent to drensioons1sedt.com, a non-existent domain.

5. Phishing Recreation Test:

  • Method:
    • Simulated attack using dummy accounts and a sandboxed environment.
    • Tested effects of clicking the link and entering credentials.
  • Results:
    • No malicious activity detected after entering credentials.
    • No suspicious login attempts or email activity from the test account.

Attacker's Infrastructure

Email Origin:

  • Sent from the originator’s Outlook desktop application, not a spoofed account. This is confirmed by the presence of the MAPI header in the email from the originator. A MAPI header is only present in this scenario, and not when a compromised account is used via webmail or via an SMTP server.

Payload Creation:

  • Tools: ilovepdf.com and Microsoft Word.

Redirection via DocSend:

  • Captures IP addresses and user metadata.

Fake Login Page:

  • Malicious but flawed; may indicate incomplete setup or alternative objectives.

Analysis of Objectives

Ruled Out:

  1. Accidental Sending:
    • Inconsistent recipient list (included unfamiliar contacts which the originator would not have in their address book).
  2. Compromised Address Book:
    • Email formatting lacked recipient names (unlike typical malware-based spam). Standard malware that sends out emails would use a format including the recipient name from the address book, e.g. "John Doe <johndoe@gmail.com>" instead of just the email address.
  3. Credential Theft:
    • Non-functional login page and test results suggest credentials were not the primary target. The full recreation of what would happen to a logged in Outlook account if the malicious link were clicked also disproves this.

Possible Motivations

  1. Reconnaissance/IP Address Harvesting:
    • Likely objective given DocSend usage, flawed login page, and the negative results of the recreation attempt.
  2. Psychological Manipulation/Intimidation:
    • Targeting of pro-defense figures suggests a possible motive to create paranoia or disruption.
  3. Discrediting/Compromising the Originator:
    • Using their account/computer could damage their reputation or cause discord.

Hypotheses About the Flawed Login Page

  • Incompetence/Error: Unlikely, given other elements were well-executed.
  • Generic Phishing Toolkit: Plausible; attackers may have failed to customize default configurations.
  • Intentional Deception: May obscure true objectives, such as IP harvesting.
  • Testing/Abandonment: Attack may represent an incomplete campaign.

Conclusion

  • The phishing attack likely primarily aimed to harvest IP addresses and possibly sow psychological discord among the targeted group.
  • Evidence does not support traditional account compromise or credential theft.
  • The misuse of the originator’s Outlook account suggests potential exploitation of application vulnerabilities or social engineering tactics.