Copper Contributor

Had 67 detections of Trojan:HTML/Phish.JS9 over 2 days from C:\Users\***\AppData\Local\Microsoft\Windows\INetCache\IE\6JGSCFQJ\authorize[1].htm. Have tried to "collect file" but am being constantly advised that it can take up to 3 days. I have used Hunting to try to find where the file originated but there is nothing in email or web traffic that links it. My instinct is that this is a false positive. How do I speed the process of collection or actually track where the file originated?

6 Replies


I am seeing the same thing over the last couple of days.  We got a copy of the file authorize.htm and looks just like a regular O365 logon. Seems that MS might be flagging their own login pages as phishing. Raised a support ticket to get confirmation that it's a false positive.



We're seeing the same. 

@Chuck_Vidal Any update from Microsoft? We are seeing the same.



Yeah. Got confirmation this was a false positive and latest sigs should take care of this.
There is a lot of phishing using obfuscated JavaScript in HTM attachments at the moment. If these are tested in a sandbox, a trace will show the HTM requesting Microsoft and commonplace CDNs. The image presented to the recipient is picture-perfect. Try putting in bogus credentials, and the phish will attempt to reach an obscure web site.
i'm seeing this on one of our customer devices and it's communicating via ip 152[.]199[.]23[.]37, upon researching, not much further details on ip and not quite sure if virustotal comments is legit about this ip which is related to phishing. how can i raise this to microsoft for verification? kindly advise. thanks.