misp-circl-feed/feeds/circl/misp/581fadbd-7acc-4907-9133-4380950d210f.json

{
  "Event": {
    "analysis": "2",
    "date": "2016-11-06",
    "extends_uuid": "",
    "info": "OSINT - Veil-Framework Infects Victims of Targeted OWA Phishing Attack",
    "publish_timestamp": "1478524899",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1478520976",
    "uuid": "581fadbd-7acc-4907-9133-4380950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#00223b",
        "local": false,
        "name": "osint:source-type=\"blog-post\"",
        "relationship_type": ""
      },
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471136",
        "to_ids": false,
        "type": "link",
        "uuid": "581fade0-6a38-4c71-9f7d-4181950d210f",
        "value": "https://www.proofpoint.com/us/threat-insight/post/veil-framework-infects-victims-targeted-owa-phishing-attack"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471159",
        "to_ids": false,
        "type": "comment",
        "uuid": "581fadf7-6d18-437e-88eb-4e59950d210f",
        "value": "Proofpoint researchers recently observed a novel targeted phishing attack that combined Outlook Web Access (OWA) credential phishing with a malicious document download.  In May we also observed an Office 365 credential phishing attack leading to iSpy Keylogger [1], but the combination of OWA with this infection chain takes a different approach. While it is not clear whether the primary goal of the attack was delivering the malicious payload or capturing the targets' OWA credentials, this attack uses an OWA phish to additionally pushes a malicious document with a Veil-Framework payload capable of downloading further malware."
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471190",
        "to_ids": true,
        "type": "filename|sha256",
        "uuid": "581fae16-9808-48dc-877c-4c25950d210f",
        "value": "ViolationReport.xls|ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215"
      },
      {
        "category": "Network activity",
        "comment": "Phishing link",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471217",
        "to_ids": true,
        "type": "url",
        "uuid": "581fae31-7dec-40ef-9c2b-4d01950d210f",
        "value": "http://www2.sendsecuremail.com/bellevue/index.php?id=6153"
      },
      {
        "category": "Network activity",
        "comment": "Redirection to download of Excel file",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471240",
        "to_ids": true,
        "type": "url",
        "uuid": "581fae48-89d8-4ae3-a458-49f1950d210f",
        "value": "http://www2.sendsecuremail.com/bellevue/ViolationReport.xls"
      },
      {
        "category": "Payload delivery",
        "comment": "ViolationReport.xls",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471369",
        "to_ids": true,
        "type": "md5",
        "uuid": "581faec9-1f8c-4466-8e4b-4ac5950d210f",
        "value": "bce71fda40b33921de7cbec44b64f3e3"
      },
      {
        "category": "Payload delivery",
        "comment": "ViolationReport.xls",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471369",
        "to_ids": true,
        "type": "sha1",
        "uuid": "581faec9-14fc-4e35-b407-4379950d210f",
        "value": "1794d5756f1ea13fea2735b4485f0a8bd3faef4e"
      },
      {
        "category": "Payload delivery",
        "comment": "ViolationReport.xls",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471370",
        "to_ids": true,
        "type": "sha256",
        "uuid": "581faeca-18a4-4889-b3da-49d3950d210f",
        "value": "ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478471390",
        "to_ids": false,
        "type": "link",
        "uuid": "581faede-172c-4d8e-a6f7-44fe950d210f",
        "value": "https://www.virustotal.com/cs/file/ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215/analysis/"
      },
      {
        "category": "External analysis",
        "comment": "ViolationReport.xls - Xchecked via VT: ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1478520976",
        "to_ids": false,
        "type": "link",
        "uuid": "58207090-a5d8-44d0-b793-49cf02de0b81",
        "value": "https://www.virustotal.com/file/ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215/analysis/1477917993/"
      }
    ]
  }
}