Watch out for this phishing attack this week.
Another HTML attachment - why we can't block this file type in O365 admin remains a mystery.
From: Bill Helene < email@example.com >
Sent: 05 November 2021 21:02
To: Accounts Team
Subject: Your order #92627421 - Corresponding Invoice
This invoice attached will be charged to your account within the next 24hours. Please confirm if you placed this order to avoid your account being charged.
The invoice is attached to this email; please download and confirm to us immediately.
Sales Department Manager
2715 Sycamore Road
Nyssa, OR 97913a
The Attachment is an html document which is essentially an iframe showing you this site:
<html><iframe src="https://bit.ly/3FrDARk" target='_parent' onload="this.width=screen.width;this.height=screen.height;" style='height: 100%; width: 100%;' frameborder="0" scrolling="no"> </html>
Which is an Excel document requiring you username and password:
The actual attack is from http://220.127.116.11:4400/ where they have compromised some sort of server that does not connect on normal http or https ports.