Your order #92627421 - Corresponding Invoice

From:               &nbsp

Watch out for this phishing attack this week.

Another HTML attachment - why we can't block this file type in O365 admin remains a mystery.

From:                                         Bill Helene < bill-helene@ganver.com >

Sent:                                           05 November 2021 21:02

To:                                               Accounts Team

Subject:                                     Your order #92627421 - Corresponding Invoice

Attachments:                          invoice.html

 

Hello,

This invoice attached will be charged to your account within the next 24hours. Please confirm if you placed this order to avoid your account being charged.

The invoice is attached to this email; please download and confirm to us immediately.


Sincerely,
Bill Helene
Sales Department Manager
Fretter Inc.
2715 Sycamore Road
Nyssa, OR 97913a

The Attachment is an html document which is essentially an iframe showing you this site:

<html><iframe src="https://bit.ly/3FrDARk" target='_parent' onload="this.width=screen.width;this.height=screen.height;"  style='height: 100%; width: 100%;' frameborder="0" scrolling="no"> </html>

 Which is an Excel document requiring you username and password:

The actual attack is from http://139.59.115.11:4400/ where they have compromised some sort of server that does not connect on normal http or https ports.