Occasional Visitor

Had 67 detections of Trojan:HTML/Phish.JS9 over 2 days from C:\Users\***\AppData\Local\Microsoft\Windows\INetCache\IE\6JGSCFQJ\authorize[1].htm. Have tried to "collect file" but am being constantly advised that it can take up to 3 days. I have used Hunting to try to find where the file originated but there is nothing in email or web traffic that links it. My instinct is that this is a false positive. How do I speed the process of collection or actually track where the file originated?

5 Replies


I am seeing the same thing over the last couple of days.  We got a copy of the file authorize.htm and looks just like a regular O365 logon. Seems that MS might be flagging their own login pages as phishing. Raised a support ticket to get confirmation that it's a false positive.



We're seeing the same. 

@Chuck_Vidal Any update from Microsoft? We are seeing the same.



Yeah. Got confirmation this was a false positive and latest sigs should take care of this.
There is a lot of phishing using obfuscated JavaScript in HTM attachments at the moment. If these are tested in a sandbox, a trace will show the HTM requesting Microsoft and commonplace CDNs. The image presented to the recipient is picture-perfect. Try putting in bogus credentials, and the phish will attempt to reach an obscure web site.