Hoxhunt logo
Why Hoxhunt?
Solutions
CustomersPricing
Resources
Company
Sign inRequest demo
Hoxhunt black logoRequest a demo
publishing date icon
April 29, 2021
read time icon
5 min. read

New Embedded Email Credential Harvesting

Author image
Milla Viitala
Junior Threat Analyst
Post hero image

Email attacks are constantly mutating into more sophisticated variants. Sometimes new messages and email designs are aimed at people’s psychological triggers. Sometimes attackers use new technological tools. Regardless, we sift through tens of thousands of these attacks every week and incorporate the latest developments into our training programs. It's all about coaching your people to avoid getting hooked into something that will ruin your day… or a whole lot worse.In Off the Hook, expert Hoxhunters in the threat analysis department pinpoint:

  • What’s new
  • Why it’s dangerous
  • How it works


We zero in on a real attack recently spotted in the wild and dissect it so you and your colleagues can spot others like it. And stay Off the Hook!


The Hoxhunt threat analysis vault contains:

  • Tens of millions of email threats and threat observables
  • Tens of thousands of threats reported each week
  • Immeasurable and unparalleled phishing-email expert insights

Directly embedded credential harvesting email

credential harvesting phishing scam

What's wrong with this picture? Example of a new embedded credential harvesting email.

What’s new: Next-level credential harvesting

We spotted a new type of phishing email whose credential harvesting page is smack-dab in the middle of the email body. Its stripped-down, straight-to-the-malicious-layer design makes it particularly dangerous.Typically, phishing emails contain:

  • A link to a malicious website, or
  • A dangerous file in the attachments

Where a typical phishing email would offer more material to go over and ponder before clicking, this one’s malicious credential harvesting fields are embedded directly into the email itself.If the victim volunteers his password and presses the "Sign in" button, that data will be sent to the attacker. Password in hand, the hacker will have effectively compromised the email account.

Why it’s particularly dangerous

  • With less time and stimuli to consider in the email and its text, victims could submit their password reflexively.
  • The recipient's email address being already filled-in streamlines the attack to fewer steps for completion. Further problematic is that some password managers may suggest autofilling your credentials into these fields.
  • As the email recipient doesn’t need to visit an external site, it’s harder to verify the address from the URL bar against fake URLs (e.g. hoxhunt.com vs. hoaxhunt.com)
  • The sender field mimics an email from a well-known organization, perhaps even the victim’s.

How it works, and where it’s coming from

This campaign hijacks a cloud-based automated communication service, which allows the attacker to send gajillions of emails without needing to maintain an email server. These services are commonly used for business-to-customer communications like marketing emails, automated notifications, newsletters, and so on. While one might be tempted to dismiss this credential harvesting scam as an over-simplified spray-and-pray technique, the email’s design actually makes it quite dangerous.Using these services, attackers can easily fire off large quantities of emails, frequently bypassing spam-filters, while leaving fewer digital footprints back to the crime scene. Spoofing the sender fields is also common when using these services, which further camoflages the phishing attack.

Key takeaways: Severe Security Risk

  • This phishing email constitutes a severe security risk for the individual and organizations.
  • Don’t enter your credentials just anywhere - make sure you know who’s asking.
  • In this case, when you’re looking at a strange new email format, take a moment and ask yourself: Since when did Outlook start offering logins directly within emails? Have I ever been informed of this feature?

SPOILER ALERT! IF YOU DON'T WANT TO BE TIPPED OFF TO AN ACTUAL NEW HOXHUNT SIMULATION, STOP READING NOW!

Hoxhunt simulation

We create simulations of new threats in the wild like this one as quickly as possible. Doing so keeps simulations topical, current, and relevant to real threats confronting employees.Here is an example of a Hoxhunt simulation, which is based on the phishing technique examined in the above post:

If someone enters their credentials and clicks “View message,” the simulation is failed and the employee receives tips on how to spot the threat next time. If the user reports the email via the Hoxhunt plugin, Bravo! They pass the simulation and get a gold star to prove it.Coaching people to spot actual threats prepares people to report the scam when the real thing lands in their mailbox.While the actual attack-in-the-wild is categorized as medium in difficulty, this simulation is categorised as “easy” for Hoxhunt users, based on factors in the email and continuous data from users in more than a hundred countries.

Subscribe to our newsletter