Ok, so it turns out it is a straight up credential stealing phish attack.It's a link to a website that links to another website with a fake o365 login. Since there is no executable it escapes malware detection. I would still have thought it would get black-listed based on the URL in the PDF but I guess that shows how weak standard filtering is. I suspect the PDF in the URL is uniquely generated for each email attachment so it can't be easily black-listed.

John

On Wed, Jan 19, 2022 at 12:19 PM Gilbert E. Detillieux <gedetil@cs.umanitoba.ca> wrote:

On 2022-01-19 12:04 p.m., eh@eduardhiebert.com wrote:
> Lastly, forgive my lack of knowing, what does "zero-day attack" mean?

Essentially, an attack that exploits a brand-new vulnerability, either
before it has been disclosed, or on the day of disclosure (hence 0-day).
The key point being that it's a vulnerability for which there likely
is not yet an update, patch, or even a mitigation strategy.

See also:

https://en.wikipedia.org/wiki/Zero-day_(computing)

Gilbert

--
Gilbert E. Detillieux E-mail: <gedetil@cs.umanitoba.ca>
Dept. of Computer Science Web: http://cs.umanitoba.ca/~gedetil/
University of Manitoba
Winnipeg MB CANADA R3T 2N2

_______________________________________________
Roundtable mailing list
Roundtable@muug.ca
https://muug.ca/mailman/listinfo/roundtable