Trend: Credphish Links Stuffed in Benign Attachments Are on the Rise

Share Now



Microsoft 365 ATP 

Microsoft 365 EOP By Kian Mahdavi, Cofense Phishing Defense Center

While it’s true that most enterprise-directed phishing is credential phishing, that doesn’t mean attackers have completely abandoned attachments. The days of malware-laden attachments are dwindling. You’re not going to find dangerous embedded macro or .VBS in 2020 at the same frequency observed in 2016. Attackers are using attachments, more now than ever, to deliver embedded URLs. Why? Because secure email gateway (SEG) vendors have emphasized auto-scanning and wrapping URLs in the body of emails.

During the last few weeks, the Cofense Phishing Defense Center (PDC) has observed a significant uptick in credphish URLs stuffed in attachments successfully bypassing several commercial SEGs. The attachment types are varied, but many are commonly used in normal business communications – .DOC .HTML, .HTM, .XLSX, .PDF, etc. Check out our REAL phishing threats samples here for a complete list.

If you think stuffing credphish URLs in attachments to sidestep automated URL scanning is a no-brainer for attackers, we agree. You’d be surprised at the number of SOAR vendors demoing automated-phishing-analysis playbooks that fail due to this simple attacker adaptation. This phenomenon isn’t going to slow down.

Here’s a common example of a campaign reported to the PDC by a vigilant user:

Figure 1: Email Body

There has been a recent rash – 500 variants – of this campaign reported from our users via the Cofense Reporter Button. The campaign originated from an assumed compromised account from a legitimate business. Originating from a legitimate business surely added to a sense of legitimacy. Luckily, the recipient asked themselves: “Am I expecting to receive a document from this sender?”

Upon opening the attached .XLSX document, Microsoft Excel loads, prompting the user to click an embedded image using “trusted” brands to spruce up the legitimacy of the ruse. Once clicked, the attack redirects to the phishing landing page requesting the user’s credentials.

Figure 2 – The underlying “Open” link doesn’t take the victim to OneDrive

Once credentials have been supplied, the phishing website redirects the user to the authentic “office[.]com” to make the victim feel like the whole experience was legit.

Figure 3 – Phishing landing page 

Figure 4  Redirect to authentic office[.]com webpage 

Figure 5 below displays the HTML source code with POST command when a user types in their credentials and attempts to login. In fact, their personal data gets forwarded to the attacker via a pre-configured PHP script.    

Figure 5 – POST command forwards users’ credentials to the above URL 

Slipping credential phish URLs into innocuous attachments is going to frustrate SEGs for years to come because of the endless file formats that support HTML, compounded by all the clever ways attackers can obfuscate those URLs from automated analysis. Cofense customers avoided a disaster because of their commitment to upgrading their wetware.

Indicators of Compromise: 

Network IOC   IP 
hxxps://noshgosh[.]com/9833636833/mau html  192185  181  28 
hxxps://runyourrideonwater[.]com/a1/shareaumine/loginphp  192  185  148 151 


File name:  Copy of mstglobal.xlsx  
MD5:  519615b29249d944f7564eb4f2d1feac 
SHA256:  ff9f56c61230a45ab662e7e2b650ec834ba4194cbcbc7cfcbdd06c0b046b64f6 
File Size:   36.2 KB 

Want to know the breakdown of phishing attacks by type? Make sure you look out for our annual report.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.


Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.