Latest News: Binary Defense Named a Strong Performer by Leading Independent Research Firm

Access Report
Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

Search

Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

Analysis of a JavaScript-based Phishing Campaign Targeting Microsoft 365 Credentials

By John Dwyer
Published: March 4, 2025

By

Written by ARC Labs contributors, John Dwyer and Eric Gonzalez

ARC Labs recently discovered a JavaScript-based credential harvesting campaign leveraging fake voicemail notifications as a lure to capture Microsoft 365 credentials. ARC Labs has observed that JavaScript-based credential harvesting campaigns have seen a significant uptick, becoming a prevalent threat in the cybersecurity landscape. Attackers increasingly utilize obfuscation and encryption, to evade detection mechanisms. A notable method involves embedding malicious JavaScript within HTML files—a tactic known as “HTML smuggling”—which allows the code to execute when the file is opened by the target, thereby bypassing traditional security filters.

Furthermore, the adoption of libraries like CryptoJS has become more common among cybercriminals. By encrypting their malicious payloads using CryptoJS, attackers add a layer of complexity that hinders automated analysis and detection efforts.

Phishing Campaign:

In this campaign, the attackers sent emails claiming the recipient has a new voicemail. The email includes a PDF attachment containing a QR code, which, when scanned, leads to a fake login page resembling legitimate services like Microsoft Office 365 or SharePoint. Unsuspecting users who enter their credentials on these pages inadvertently provide attackers with access to their accounts. The PDF and phishing emails attachment are personalized with the targeted organizations’ logo and recipient’s information to establish legitimacy. In addition to the PDF file, the lure includes an HTM file attachment containing embedded JavaScript code to redirect the user to the credential harvesting page.

JavaScript Analysis:

The JavaScript starts by setting a variable named “0xbc8c” to the email address of the recipient. This is likely for tracking purposes or to customize further content to appear more legitimate.  The JavaScript contains base64 data which is split across three different items in an array. The script then concatenates the items into an array and passes them to the atob function to decode the base64 data before passing the decoded commands to eval for execution.

While there are various methods of decoding the base64 data, the “console.log()” method is a valuable resource while debugging potentially malicious code as the analyst is able to access the contents of variables without moving data out of the original payload. In this case, ARC Labs simply changed “eval” to “console.log” to reveal the data encoded with base64.

After starting the HTM file in a debugger, ARC Labs revealed additional JavaScript contained within the base64 data which is executed when the page was the loaded.

Upon initial inspection, ARC Labs noted more use of the “atob” function indicating more base64 encoded data and a concatenated string associated with a URL.  The following code leverages the JavaScript “document.write()” method. In JavaScript, “document.write()”is used to write HTML expressions or JavaScript code directly into an HTML another document. When called, it inserts the data at the point in the document where the script is executed. If document.write() is used after the HTML document has finished loading, it will overwrite the entire document content.

There are various ways to extract the decoded base64 content from this code however for ease of analysis, ARC Labs copied the content into a new HTML file to enable simple debugging analysis.

In order to make the code passed through “document.write()” valid HTML requires enclosing the code within a “<script>” tag.

Again, leveraging “console.log”, setting a break point, and loading the HTML content in a debugger enables analysis of the decoded code being executed. The base64 data decodes to basic HTML data rendering a page regarding a voicemail. Further analysis of the decoded HTML data did not reveal any additional JavaScript or malicious content.

The second stage of the JavaScript data leverages the “setTimeout” method which sets a timer to execute code automatically when the specified time has passed. In this case, the timer is set to four seconds. After four seconds, the function automatically sets a concatenated string (containing a URL) to the variable “goldfinch” which is then passed to “document.write()” to inject a JavaScript redirect to the specified URL.

Again, leveraging “console.log” in the debugger is a simple way to extract the actual data being passed to the next function.

From this, ARC Labs concluded, that this HTML content was meant to lure the target into loading the HTML content to access the voicemail and after the timer function executes, dynamically inject additional web content (res444.php). When analyzing malicious web content, the presence of a”?” can typically indicate a parameter being passed to the URL content. In this case, “2-68747470733a2f2f6a39712e726c717a7469652e72752f68706b6b364a36342f-rwUuql” is passed to the PHP file “res444.php”. The middle section of this parameter sticks out as it consists entirely of hexadecimal characters and begins with “68747470733a2f2f” which is a common hex-encoded URL pattern. Performing a hex-decode on the parameter data revealed that there is a second URL.

At the time of analysis, ARC Labs was able to still access a copy of “res444.php” for further analysis. Upon first analysis of “res444.php”, ARC Labs discovered that the content was not PHP code but more JavaScript. In the JavaScript, a reference to Crypto-JS is a common indicator that there is encrypted data within the code. ARC Labs has observed that leveraging Crypto-JS in JavaScript-based phishing campaigns has risen steadily since 2024, indicating that this evasion technique is part of a phishing kit. Leveraging encryption in these campaigns appears to be strictly evading automated analysis engines as the decryption key is required to be present in the code itself to properly execute.

In this stage of the phishing campaign, there is more base64 encoded data which is decoded and parsed as JSON and stored into the variables “a”,”b”,”c”,”d”. The variables “b”,”c”, and “d” are used to decrypt the data stored in “a” using CryptoJS. The decrypted content is passed to the “document.write” to load additional web content.

To decrypt the content stored in “a”, ARC Labs began the analysis of this stage by loading the JavaScript into a debugger and capturing the values set to the variables “a”,”b”,”c”, and ”d”.

Stepping further into the script in the debugger, the decrypted data is stored within “rzirAFjIlLLTCGaS” followed by a simple replace function, replacing the string “blwRbXUYPJwusSMx” with the value of “rwUuql” which is the Email address stored in the first stage of the phishing chain.

Evaluating “rzirAFjIlLLTCGaS “ in a debug session allowed ARC Labs to access the decrypted content stored in “rzirAFjIlLLTCGaS” revealing additional JavaScript making references to the same URL stored in the hex data from the previous stage.

Analysis of the decrypted JavaScript shows the script dynamically generates a URL containing a random uppercase letter and a target email address, then forces a redirect by creating and clicking a hidden <a> element. It first checks if the email string contains #, and if so, appends a random letter to the URL before appending the email. The script clears the page content to obscure its activity and executes the redirect, likely for tracking, phishing, or exploit delivery. This behavior silently manipulates user navigation and embeds identifiable data into the request, which is a common technique observed in credential harvesting campaigns.

Accessing the generated URL within a sandbox revealed the final credential-harvesting stage. First the user is redirected to a Cloudflare CAPTCHA, followed by a page mimicking a media player to access the fake voicemail. When the play button is clicked, the user is redirected to a fake Microsoft 365 authentication page. When credentials are entered, the malicious page forwards the request to Microsoft to validate them.

JavaScript-based phishing campaigns leveraging CryptoJS to encrypt payloads are becoming increasingly popular, making automated detection and analysis more challenging. To assist security professionals in decrypting and analyzing these threats, ARC Labs has developed a decoding script, allowing for quicker identification of malicious content and helping defenders stay ahead of these evolving threats.

Decoding utility can be found in the ARC Labs Repo.

IoCs:

biglobe.ne.jp

j9q.rlqztie.ru

fsf.velirax.ru

uzgw.welsiolopyro.ru

resourcerepgroup.com

es.rlqztie.ru

zomir.rlqztie.ru

154.216.17.193