Forum Discussion
Trojan:HTML/Phish.JS9
Had 67 detections of Trojan:HTML/Phish.JS9 over 2 days from C:\Users\***\AppData\Local\Microsoft\Windows\INetCache\IE\6JGSCFQJ\authorize[1].htm. Have tried to "collect file" but am being constantly a...
I am seeing the same thing over the last couple of days. We got a copy of the file authorize.htm and looks just like a regular O365 logon. Seems that MS might be flagging their own login pages as phishing. Raised a support ticket to get confirmation that it's a false positive.
There is a lot of phishing using obfuscated JavaScript in HTM attachments at the moment. If these are tested in a sandbox, a trace will show the HTM requesting Microsoft and commonplace CDNs. The image presented to the recipient is picture-perfect. Try putting in bogus credentials, and the phish will attempt to reach an obscure web site.