SpamAssassin caught this phish, however some tweaks would have let it thru, and it's an interesting new (to me) approach, so I figured I'd share it with y'all.
Full raw spample (with MUNGED email addresses): http://puffin.net/software/spam/samples/0053_phish_image.txt At arrival time, the domain "alshimisiani" was only on URIBL Black (the webhost's SA does not run URIBL, so that was caught by my post-SA filter). The HTML link had all manner of weirdness (in particular, that Google "data-saferedirecturl" thingie), so I did a raw HTTP GET of the image, semi-thinking it was going to be borked or lame. Instead, I saw this very nicely done, VERY convincing image: http://puffin.net/software/spam/samples/0053_phish_image.png I've never noticed that style before. I've seen similar with attached image(s), however I rarely pull down remote images. For a while, I've been concerned that spammers would move to more remote images in phish, and have been thinking about adding arrival-time pull-down & analysis of them. ** Has anyone noticed this tactic, and, if so, has it been going on for a while? Also of interest is the main URL. It looks like the site is legit and was cracked/hijacked. The page used javascript and a meta refresh to redirect to a different apparently-cracked site, with an interesting 3 hops within that site, before the final pure javascript payload. I don't have the time to analyze the js, however it is somewhat unusual/different from what I've seen in the past. If it's down by the time anyone legit checks it, feel free to email me off-list for a copy (LEGIT geeks only and note that I'll be mostly offline for the next 4-7 days). I _VERY_ briefly researched the token "data-saferedirecturl", and my first impression is that maybe it shouldn't occur in email, so it may be a good test. ** What do the HTML gurus think? Perhaps it would be worthwhile to MassCheck a meta of "BODY_URI_ONLY" with highly phish-y From.RealNames? I just checked the last 3 months of my best corpora, and ham hits on "BODY_URI_ONLY" were in three categories (highest to lowest volume): - DMARC reports - ESP/bulk (with SA scores between -4.0 and 5.3) - person-to-person with an image attachment I'm already selectively "skip" listing all three scenarios, in particular DMARC reports (i.e. I never "white" list, I have my rules segmented into groups that can be easily skipped). - "Chip"