Email Security Blog

Fresh Phish: Weaponizing Text Files in a Personalized Credential Harvesting Scheme

There are not a lot of email security platforms that can detect a phish hiding behind a Rich Text Format (RTF) attachment file. However, that’s exactly what was caught in a new phishing scam that took a very personalized approach to harvesting Microsoft credentials. With multiple versions at play, it’s highly likely that this slippery phish will be poisoning the waters for some time to come. Let’s take a closer look.

Understanding RTF Files

Computers store many types of data, such as text, images, videos, and spreadsheets. The file type, or format, tells the computer which type of data it contains and it’s usually reflected in the file extension. For example, when you see “JunePayroll.xls” your probably recognize it as a spreadsheet file. And, you probably know “Graduation.jpeg” is an image. When computers detect the file types, they know the best program to use to open the file.

Of all file formats, a text file is the most common. Rich Text Files fall into that category. They are often used to create documents that will be viewed by multiple users on different platforms. This is because RTF files are platform-independent, meaning that they can be opened and edited on any computer regardless of the operating system. RTF files are also very versatile. In addition to text and graphics, RTF files can also include embedded fonts, tables, and hyperlinks…making it a great choice for the cybercriminals behind this phishing campaign.

A Closer Look at RFT Phishing Emails

This first email below appears to be an electronic fax or scanned document. The creator cleverly designed it to seem like it came from an Epson printer or scanner. It’s personalized with the recipient’s name and email address, and it asks for a signature on what appears to be an attached agreement.

The sender’s email address (noreply@syncwith[.]com ) does actually belong to SyncWith as it says, however in this case their notification system was abused to send these emails.

This phish swam with a big school! Over the course of two days, INKY caught more than 1,000 examples.

Picture1_epson scanner

Opening the RTF attachment brings the reader to what appears to be a link from which the agreement can be downloaded. The anchor text, however, is misleading. Epson[.]com is displayed but the link actually takes you to workers[.]dev, which is an abused Cloudflare domain used to host a Microsoft credential harvesting site.

You’ll notice some Epson brand impersonation at the bottom. However, what comes next seems to be a comical mistake made by the phisher. Especially considering this phishing threat is far from all right.  

Picture 3_all right

NEXT is a similar example of another RTF phishing email, however this one came from the Japanese freemail domain of plala[.]or[.]jp. It is also very personalized and tries to convince the recipient they have received a document – in this case, from an HP LaserJet Pro scanner sent via an Office365 portal.

Picture4_example 2

Opening the RTF document brings you to a similar download page. You will see that the anchor text is misleading. The recipient’s domain was included in the visible part of the link, but hovering showed that the true destination was actually r2[.]dev, another abused Cloudflare domain. Cloudflare R2 is a relatively new cloud storage service generally used by developers who want an economical option for storing large amounts of unstructured data.

Anyone who follows the malicious link is brought to a Microsoft credential harvesting site.


Our next example below originated from the hijacked account of a company in Canada. INKY caught more than 1,500 of these phishing emails, over the course of two days. The display name read “Fedwire” on all of them. If you’re not familiar, Fedwire used to be known as the Federal Reserve Wire Network and it is a real-time, gross settlement system that allows banks, businesses, and government agencies to send or receive payments for various purposes.

As with the previous examples, this phishing email includes personalization and brand impersonation to help give it credibility. The recipient’s company name is even included in RTF’s file name.

One new addition you’ll see here is a fake green “Message from a trusted sender” flag. Recognizing these phony banners is one of INKY’s many detection capabilities.

Because this phish is impersonating Fedwire, once the RFT link is opened we see what looks to be a link for transferring funds. Note the message at the top even tries to convince the victim that they’re reviewing a private transfer just for them. In reality, anyone can use the link, which takes them to a Microsoft credential harvesting site on workers[.]dev.

8 and 9 combined

The last example we’d like to share has no content in the email body, just an RTF attachment using recipient’s domain as the file name. On the outside it appears to have originated from an eprinter. However, the sender is actually using a hijacked account of a company in Italy.

One impressive piece of this particular phish has to do with personalization. Once phishers get a victim to the final stage of the game, (a.k.a. the point where they can steal the Microsoft sign-on credentials) they went the extra mile. Not only did they include the recipient’s name and the company logo, but they include some help desk information at the bottom. When you call the toll-free number listed, it actually does go to the company’s IT support group.

10Picture no email body

example with company help desk

Personalized Phish and Why It Works

Personalization has become increasingly common in phishing hacks, and with good reason – it works. Consider these facts:

  • Consumers are 2.1x more likely to view personalized offers as important versus unimportant.1
  • 72% of consumers say they only engage with personalized messaging.2
  • 66% of consumers say encountering content that isn’t personalized would stop them from making a purchase.3

There are several reasons why we tend to open personalized emails, as opposed to generic messages. For starters, we're more likely to trust emails that are addressed to us specifically. When we see our name in the subject line or the body of an email, it feels more personal and less like spam. Also, personalized emails are usually tailored to our specific needs or interests, so we're more likely to find them valuable and worth opening. Finally, personalized emails are more engaging and that usually captures our attention.

See Something, Say Something Even Works with Phish

Reporting suspicious behavior isn’t limited to the Department of Homeland Security. We all have a responsibility to report suspicious behavior. INKY users have an easy way to do that with the “Report This Email” option included on every email. Reporting suspicious emails was especially relevant to this particular phishing campaign and we’re grateful to every INKY user who reported a suspicious RFT email. As a result, this phishing threat was identified quickly and INKY was agile enough to find a solution in record time.

The beauty behind INKY’s machine learning capabilities is that the greater the data, the better the outcome. In the case of this phishing fiasco, INKY users reported so many instances that INKY quickly learned how to identify and protect others from becoming a victim. So, if you even think reporting a potential phishing email is not worth your time, or that nothing is done with the information you send, think again. Even with a zero-day attack, the INKY feedback loop helps us find solutions in a matter of hours, while others email security platforms could take months.

Recap of Techniques

  • Personalized phish — algorithms that extract the recipient’s domain and impersonate that domain to create a unique phish for each recipient.
  • Brand impersonation — uses elements of a well-known brand to make an email look as if it came from that company.
  • Credential harvesting — occurs when a victim tries to log into what they think is Microsoft’s website but enters credentials into a form controlled by the phishers.
  • Cloud service abuse - leveraging a legitimate service to host malicious content.

Best Practices: Guidance and Recommendations

  • Don’t open email attachments or links from unknown senders.
  • If you receive a suspicious email claiming to be from your employer or a fax notification with a new method, it’s best to contact them with an established method of communication.
  • Carefully inspect the domain of sites before entering sensitive data. r2[.]dev and workers[.]dev are not legitimate Microsoft domains so it should be a red flag that these sites have Microsoft branding and are asking for passwords.

To truly have a handle on phishing threats, you need a third party’s assistance. INKY offers a relentlessly effective level of security, capable of detecting and stopping phishing threats before anyone becomes a victim. Using computer vision, artificial intelligence, and machine learning, INKY provides a level of ingenuity that is unlike other email security platforms.

See what INKY can do for your business and your customers. Schedule a free demonstration today.


INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.