A Phish That Scans For Viruses

While I was on the train today I was checking email and found that I had received an interesting phish.  It was sent to an email i haven't used in years that apparently still fowards:

I certainly didn't want to miss my "incomming" fax, so I of course needed to click the link to "Preview Fax Message." 

The phish started off going to "outlake-q.hopto[.]com" and passing my email address as a parameter in the URL.  I changed that up a bit as you'll see below.  The HopTo address claims it is "Connecting to OneDrive" but it's really forwarding to the rest of the phish.

"Leak-weave[.]gq" says "Please wait ..." while it continues connecting to OneDrive I guess. . . ?
Once it connects to OneDrive (which apparently is now hosted at leak-weave) it asks me to "Please hold a while" as "OneDrive Security is scanning your file for virus!" 

Great news!  No Virus detected on file!

"Scan Complete!  Your file is secure and safe for download. Office365 OneDrive."  So I guess I can Download the file, right?

Not so fast!  First we have to confirm the password for "[email protected]

It takes the time to actually connect to the PleaseDonHackMe.org mail server and concludes that I have entered an "Invalid password"

No file for you!

Now, if a visitor actually believed there was a file, they may have been tempted to provide their REAL password at this time.  I don't know if that would result in a Download or not, but I've decided not to find out!

Hope you enjoyed today's Adventure in Phishing!  Tune in next time to see .  .  . well, we don't know what yet.

Article Link: http://garwarner.blogspot.com/2019/11/a-phish-that-scans-for-viruses.html