Executive Summary
In early April 2025, a novel and sophisticated phishing attempt targeting our clients was identified by Fortra’s Suspicious Email Analysis (SEA) team. The threat actor’s main goal was to harvest Microsoft O365 credentials. While phishing attacks are not new, nor a rare occurrence, the approach employed in this case is notable due to its complexity and creative use of modern technologies, including the linking of an .htm file, use of AES, calling to a well-known Content Delivery Network (CDN) and a npm package containing the malicious code. All of these tactics have been observed before, however this is the first time Fortra has documented them being used together to deliver a Microsoft O365 phish. While the effectiveness of this campaign remains to be seen, the combining of these tactics is clearly an attempt to target unsuspecting victims where they may be vulnerable.
The abuse of open-source repositories, such as npm, has been well documented and is known to pose a significant threat to organizations. These tactics have allowed threat actors to not only deliver malware but also conduct supply chain attacks and now leverage them to deliver phishing URLs.
Individual case studies such as this allow cybersecurity professionals and interested parties to understand Tactics, Techniques, and Procedures (TTPs) that may be employed in the wild, helping them ensure their infrastructure is set up to detect these targeted phishing attempts in the future.
Introduction
This report walks through the stages of a phishing attack that stood out for its technical complexity and abuse of developer infrastructure. It began with a phishing email containing a malicious .htm (Hypertext Markup Language) file, successfully delivered to the victim’s inbox. This file is designed to appear harmless, beneath the surface however, the file included encrypted code which is uncommon in the average phishing attacks. This drew the attention of our analysis team who found, when decrypted, the file pointed to JavaScript code hosted on a popular CDN.
That JavaScript file was part of a malicious npm package hosted under the guise of a typical open-source library. Once communication was established, the package loaded and delivered a second-stage script that customized phishing links using the victim’s email address, leading them to a fake Office 365 login page designed to steal their credentials.
The following sections describe each component of the attack in further detail, from the phishing email and encrypted payload to the use of CDN infrastructure and dynamic phishing URLs.
What are NPM Packages and CDNs?
Before describing the analysis process, we must establish some core concepts for those unfamiliar with npm (Node Package Manager). This is a widely used tool that developers employ to install JavaScript libraries or packages to speed up the development process. These packages contain reusable code that can be integrated into larger applications, allowing developers to avoid reinventing the wheel. A npm package can be installed directly onto a local system or loaded from a CDN.
CDNs are designed to host files across geographically distributed servers, enabling fast delivery of content such as npm packages. This is particularly useful for loading popular libraries like React or jQuery without requiring developers to download them manually. The URL structure for accessing npm packages from a CDN typically follows the pattern:
Analyzing Delivered Payload
The attack begins through an email delivered to our client’s inbox, containing a malicious “.htm” file:
At first glance, the EFT-PMT.htm file seemed to contain a straightforward phishing payload. However, upon closer inspection, the file is found to be utilizing AES encryption to conceal a string stored in the variable named “encryptedAthens”.
Advanced Encryption Standard (AES) encryption is an approach that is relatively uncommon in phishing campaigns. Typically, threat actors rely on simpler, less sophisticated techniques to obfuscate their malicious code, such as using obfuscator.io. However, this case presented a more advanced method, making it a noteworthy subject for further investigation.
We developed a quick Python script during this investigation to quickly derive the PBKDF2 key required to decrypt the AES encrypted content within the “encryptedAthens” variable. After successfully decrypting the string, the result pointed to an intriguing URL hosted on jsDelivr, a popular CDN known for distributing open-source projects and npm packages.
Decrypted string:
Analyzing the Malicious Package
The npm package was already blocked from access by the CDN at the time of our investigation, returning an error and directing us to their acceptable-use-policy. Despite this obstacle, we were able to continue the analysis by installing the package locally through Node.js and the npm package manager on our dedicated Windows machine.
The installation was a matter of a simple command in a CMD window:
“npm install [email protected]”
Once installed, the package could be accessed in the following directory:
“C:\Users\%USERNAME%\node_modules\citiycar8”
Opening the package.json file contained within the same directory confirms that the correct version of the package had been installed, version 2.1.9.
The directory “MOMENTUM” holds “NOW.API.JS” our next stage in this attack. This JavaScript file played a key role in the attack's execution by loading further malicious content and linking it back to the initial EFT-PMT.htm file. A notable feature of this script was its use of a variable named “adidas”, which stored the victim’s email address. This allowed the attackers to personalize the phishing attack, appending the victim’s email to the URLs used in subsequent stages of the attack.
This finding could mark a possible shift from previously documented usage of npm to deliver phishing URLs, where READ.me (descriptive files included in repositories) were used to contain the redirection links. Fortra’s observations place the malicious content within the package itself.
Tracking the Phishing URLs
One of the key elements of this attack was the series of redirections of malicious URLs. The NOW.API.JS script contained a reference to a known malicious URL with several detections through VirusTotal, a broadly used intelligence sharing platform, as part of phishing infrastructure:
At the time of our investigation, the redirect returned by the API hosted on pages.dev, was offline. This site had been flagged by Cloudflare due to reported phishing activity. Fortra previously published findings on how threat actors are increasingly abusing Cloudflare's services as part of their phishing infrastructure.
Further analysis of the citiycar8 package revealed a newer version available (version 2.1.10) and it included updated URLs. One such URL pointed to a still active phishing site. When accessed with the correct parameters, this site would redirect the victim to a final phishing landing page designed to collect Microsoft Office 365 credentials.
Analysis of Microsoft O365 Phishing Site
Once again, the site was found to be offline during our investigation, complicating our evidence gathering process. Fortunately, the cybersecurity community had previously utilized Any.Run, an interactive malware analysis platform, capturing a screenshot of the page while it was still online. The screenshot, which shows the final stage of the attack, provides clear evidence of the attackers’ goal: to steal Office 365 credentials by masquerading as a legitimate login page.
The public Any.Run report can be accessed here for additional details:
https://any.run/report/d7490849a01cdd55e3072f24b119f99b73229aae9941de624065ef48283879b5/cd3e65c5-ea20-46d0-bcaf-d9b1e5b8b50e
Conclusion
This phishing attack demonstrates a high level of sophistication, with threat actors linking technologies such as AES encryption, npm packages delivered through a CDN, and multiple redirections to mask their malicious intentions.. The attack not only illustrates the creative ways that attackers attempt to evade detection but also highlights the importance of vigilance in the ever-evolving landscape of cybersecurity threats. While phishing campaigns are not new, this case stands out for its technical complexity and the resourcefulness of the attackers.
By analyzing the components of the attack, we gain a deeper understanding of the tactics employed by threat actors. Although, during this analysis we were able to see phishing sites being taken down or flagged for malicious activity, it is certain there will be more attempts, and these tactics may surface in future investigations. As phishing techniques become increasingly sophisticated, cybersecurity professionals must remain proactive in identifying and mitigating such attacks before they can cause harm to our organizations and clients.
IOCs
EFT-PMT.htm SHA256: 5d33bd347d0525731c375048f8cb228cb6ab54bbf883fbc9a862e457a4137653
hxxps[://]cdn[.]jsdelivr[.]net/npm/citiycar8@2[.]1[.]9/MOMENTUM/NOW[.]API[.]JS
[email protected] IOCs
hxxps[://]natrium100gram[.]site/public/api/page/redirect
hxxps[://]adobe-pending-sign-7834892393293[.]pages[.]dev/#?refid=
NOW.API.JS SHA256: 35ff658910c0da186ef710711aa1c774756bc6e2855d7783bb2ff0a36edf0308
[email protected] IOCs
hxxps[://]noirlegacy-panel-1[.]website/uuurrlll
hxxps[://]sun-shine[.]pages[.]dev/#?refid=
NOW.API.JS SHA256: 8f02b3108099ae84d5c242b5ba061abf04034c893d5841ed8492f3637e57043d
