An acquaintance had her Outlook 365 account hacked and the hacker used her account to send emails to hundreds of her contacts and prior addressees. I was in that group. This was not a spoof, the account was actually hacked.
The email has a link that is in the spoiler box below. Do not click on that link. It is included only for diagnostic purposes. It also includes a PDF attachment. When I open the attachment in Foxit there is a single page that is an image. The image has an Open button embedded with the same link. It is trying to make you think that you must click on the button to be able to view the document.
**Do not go to this URL **
parathanglasses.in/
wp-admin/
css/
auth-secure-redirect-secure-review-sign-on/
fatura0011/ Do not go to this URL
We know of at least some people who did click on the link, including my wife. She said nothing happened when she clicked it. We ran a virus check that found nothing, but that doesn’t mean that some other malware didn’t sneak in.
Is there any way to determine what the actual threat is here? I do not have a Windows sandbox or VM set up to experiment, but I am wondering is there is a registry of such sites, or if there is some other way to inspect the URL without allowing it to do anything malicious.
Unless a message, even one purporting to come from someone I know, contains something that I can identify as personal, I will never click on anything in it. The general “This should interest you” will not interest me. If it is accompanied by something personal, then I will. Often the return address is not right, but you cannot count on that.
Thank you for your sound advice but I don’t think it addresses my question, which is once I have identified a suspicious link, how do I find out what would happen if I clicked it unprotected?
I downloaded it with curl. The file seems to be boilerplate HTML which has been modified for this use (ie. it contains comments like “Use the following CSS code if you want to have a class per icon”). There’s only a small amount of Javascript in it, and it doesn’t seem to be doing anything obviously nefarious. Opened in a browser, it displays a login form with “Adobe PDF Online” at the top, and fields for “Email ID” and “Email password”, along with some broken image links since it wasn’t opened from its original location. Overall I don’t see anything terribly dangerous about it per se. Probably it’s just trying to harvest the dupe’s email password, so as long as no one was dumb enough to fill in the form, it shouldn’t be a problem.