Jump to content

Outlook365 Encrypted Email - phishing, malware, or actually legit?


vanished

Recommended Posts

Hey friends,

Recently I've went through a lengthy process for a legal thing with a company (let us refer to them as... uh, xXcompanyXx). At some point, they requested some personal documents and sent me an apparently encrypted email for me to reply to. Absent-mindedly, I did it... only to worry if I potentially fell victim to a phishing attempt or have downloaded a piece of malware. Looking up some videos, this seemed to be a legitimate thing by Microsoft, but the steps in most of them were different (e.g: https://www.youtube.com/watch?v=RyaJ8eNoYpk ) where the user first received an email that had a link to the encrypted email, whereas in my case, it was an email with a HTML file that first needed to be downloaded and opened before I got the instructions to the encrypted mail ( e.g: https://www.youtube.com/watch?v=w_z_YPiuAVI ).

So just for the peace of mind, I'm going to share you my steps just to see if there's anything suspicious.

1) Email received from xXcompanyXx.com, with the instruction to download the included "message.html" file.

2) I downloaded the file to my Mac (MacOS 12.6.3) and opened it locally from my "Downloads" folder.

3) The file asked me to sign in with an OTP - clicking that led me to a legitimate looking website with a URL that started with "outlook.office365.com/Encryption". Site seemed legit and their security was verified by DigiCert.

4) I received a legit-looking email from MicrosoftOffice365@messaging.microsoft.com with my OTP.

5) I entered the OTP and viewed the email, which even included my email history with this address prior to this encrypted message. The email's URL also started with "outlook.office365.com/Encryption".

6) I attached my documents, hit reply, and then signed out.

Now, after performing all these, I got a bit paranoid, so I ran a few checks on my computer.

a) I scanned the "message.html" file with both Malwarebytes and Avira. Nothing found.

b) I deleted the html file, and then scanned my entire Mac with both Malwarebytes and Avira. Nothing found.

c) I triple-checked through my browser history for the links I've been through, and if any rogue downloads have happened. All seemed good.

d) I tripled-checked to see if any suspicious files have been created on my Mac. None found.

e) I checked for any rogue installations under System Report > Installations. None found.

Now, with all these information, does it seem like I have nothing to worry about? Or, are there more tests that I could do to see if I was infected by anything? Also based on my steps, I don't think I was phished, right?

Hope I could get some opinions on this here.

Thanks y'all,

Vanished.

 

Link to post
Share on other sites

I moved the thread to General Chat as it really isn't about the MAC version of Malwarebytes.

The proper way to send encrypted email would be for you to have a Personal Certificate.  You would then Digitally Sign an email and send it to xXcompanyXx.

Once they receive that email the recipient has your certificate and they can then send you the encrypted email by using your certificate.

I have sent thousands  of Signed Emails but but only a small percentage were encrypted.  Usually because the email contained PII or sensitive/proprietary company information.

The vast majority of people won't get a Personal Certificate for the purpose of non-repudiation and to Sign/Encrypt Email.

Some companies like financial institutions may circumvent this by sending the recipient an email with a Link that goes to a Trusted Server that hosts the PII or sensitive/proprietary information.

However I do not know of a legitimate process that involves the sending of a a HTML file.  Since HTML can use obfuscation and JavaScript it is a risky format and even a legitimate email with a HTML file may get flagged as spam or blocked by Spam and Content Filters.

What I have seen is numerous HTML files that are sent in email as a Phish.  Either the email has the HTML as an attachment or the email has a link to a 3rd party web site that would download the HTML file.  They can be quite crafty and can even HiJack the Microsoft OAuth login progress.

I am not familiar with the processes in the YouTube videos which seem arcane.

Malwarebytes software does not target scripted malware and HTML is a type of script so even if it was malicious, MBAM would not "detect" it.

Avira, does, and may detect a malicious HTML file.  But not always if is a Zero Day file and it may take time before Avira may flag a detection on a malicious HTML file.

A better process is to upload the HTML file to Virus Total and see what a consensus of participating vendors may detect.  But, not initially if is a Zero Day file and it may take time for detections to show on Virus Total.

To me, the process you describe is suspect as it parallels malicious activity.  Thus requiring corroboration and vetting.

For me the general rules of email security come into play here.

Are you expecting an email from xXcompanyXx?

If Yes,  were you expecting an attachment in said email?

If No, call xXcompanyXx and verify if they indeed sent that email and the attachment and ask about its intentions and what to expect and why do you have to go through that process.

 

All of the above is conjecture.  The actual email in RAW .EML format and the associated attachment can help determine if the email is real or if it was a Phish.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Like 1
Link to post
Share on other sites

Hi David, thanks for taking the time to reply!

23 minutes ago, David H. Lipman said:

Some companies like financial institutions may circumvent this by sending the recipient an email with a Link that goes to a Trusted Server that hosts the PII or sensitive/proprietary information.

Upon further digging, I have a feeling that this was what xXcompanyXx was attempting (assuming it's legit). I found two .gov documents on Google ( https://file.lacounty.gov/SDSInter/dmh/1076478_HowtoOpenanOutlookEncryptedEmail.pdf and https://tax.vermont.gov/help/technical-assistance/encrypted-email ) that seemed to illustrate the exact process I went through. Since they are .gov sites, I'm assuming they may paint this is a legit but (as you said) arcane method?

29 minutes ago, David H. Lipman said:

A better process is to upload the HTML file to Virus Total and see what a consensus of participating vendors may detect.  But, not initially if is a Zero Day file and it may take time for detections to show on Virus Total.

It seems like VirusTotal came back with a negative. Other than that and Avira, what software would be good to try to run a scan with? Avast?

30 minutes ago, David H. Lipman said:

Are you expecting an email from xXcompanyXx?

If Yes,  were you expecting an attachment in said email?

If No, call xXcompanyXx and verify if they indeed sent that email and the attachment and ask about its intentions and what to expect and why do you have to go through that process.

Yes, they have mentioned a few times in prior emails that if I need to email them any documents, they will send instructions that allow me to send them through a "secure portal". Also, I have emailed xXcompanyXx through regular email, and they confirmed that they have received my files and the email was legitimate. However, I have an irrational fear of their email being spoofed. Not only that, while I am certain they are a legitimate company, is there a possibility of any bad actors accessing any other files on my computer when I added an attachment to the outlook.office365.com/Encryption site? Worse, what if the company is trusted but their methods may have security holes that put my device at risk? Like you said, the methods did seem arcane... hmm.

36 minutes ago, David H. Lipman said:

All of the above is conjecture.  The actual email in RAW .EML format and the associated attachment can help determine if the email is real or if it was a Phish.

How does one check that btw?

Thank you so much for taking the time to reply to my question.

Link to post
Share on other sites

I can check the RAW email in .EML format for you.  It will contain the Full Header and Body of the email in raw format.  The headers can be used to verify who sent the email and the the path the email took to get you.  If that same .EML file represents the email with the HTML file, I can then check that HTML.

You can send me a Personal Message (PM) with the RAW email in .EML format contained within a ZIP, RAR or 7zip archive as a PM attachment.  I WILL keep your information PRIVATE.

How you extract that .EML format file is dependent upon on the email system you use and if you use Webmail or an Email Client like Thunderbird.

Since so many use GMail, here iare the instructions to extract that .EML format file from GMail. 

How to Save a Gmail Message as an EML File

  • Thanks 1
Link to post
Share on other sites

Hey David!

Don't get me wrong, but I just am not too comfortable sharing any of it to a stranger. However, using what you said, I have did my own research/learning on the topic of analysing an EML file. Through my own analysis I think I wasn't phished and the email was from xXcompanyXx. So really, thanks for pointing me in that direction!

Knowing that I wasn't phished, I guess the only questions remains is that if the act of me opening the HTML, getting redirected to the office365 site, me uploading a document, and replying has any potential security flaws in the journey that I need to check for? Virustotal/Avira came back clean for the HTML file, so I supposed that opening the HTML was fine. Redirection to the O365 site seemed fine too I guess, since I didn't input any passwords, just an OTP? I don't know if allowing a file to be uploaded from my computer to an online portal triggered by a downloaded HTML file can pose any problems or if I'm just being overly paranoid on this last one haha.

Either ways, thanks so much for the help!

 

Link to post
Share on other sites

A better way is to use an email client like Mozilla Thunderbird.

With it you can manage online IMAP folders, perform rules based filtering, archiving, templates and many other constructs not provided by using a Web Browser and accessing Webmail

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.