Trojan:HTML/Phish.JS9

CyberCop2023 · ‎Apr 20 2023

Had 67 detections of Trojan:HTML/Phish.JS9 over 2 days from C:\Users\***\AppData\Local\Microsoft\Windows\INetCache\IE\6JGSCFQJ\authorize[1].htm. Have tried to "collect file" but am being constantly advised that it can take up to 3 days. I have used Hunting to try to find where the file originated but there is nothing in email or web traffic that links it. My instinct is that this is a false positive. How do I speed the process of collection or actually track where the file originated?

Chuck_Vidal · ‎Apr 20 2023

@CyberCop2023

I am seeing the same thing over the last couple of days. We got a copy of the file authorize.htm and looks just like a regular O365 logon. Seems that MS might be flagging their own login pages as phishing. Raised a support ticket to get confirmation that it's a false positive.

Beefcake · ‎Apr 21 2023

@CyberCop2023

We're seeing the same.

SMski1800 · ‎Apr 21 2023

@Chuck_Vidal Any update from Microsoft? We are seeing the same.

Thanks!

Chuck_Vidal · ‎Apr 23 2023

Yeah. Got confirmation this was a false positive and latest sigs should take care of this.

ExMSW4319 · ‎Apr 28 2023

There is a lot of phishing using obfuscated JavaScript in HTM attachments at the moment. If these are tested in a sandbox, a trace will show the HTM requesting Microsoft and commonplace CDNs. The image presented to the recipient is picture-perfect. Try putting in bogus credentials, and the phish will attempt to reach an obscure web site.

Trojan:HTML/Phish.JS9

Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Products (65)

Special Topics (44)

Video Hub (444)

Most Active Hubs

Most Active Hubs

Video Hub

Trojan:HTML/Phish.JS9

Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9

Re: Trojan:HTML/Phish.JS9