The Blurry Documents phish

The Blurry Documents phish is a form of credential harvesting (getting login information) primarily aimed at businesses - thus, a form of Business Email Compromise (BEC). People who own their personal domains will occasionally get this but it’s far less common.

“Blurry Documents” is an unofficial term for the kind of phish that comes via email, stating you have “(1) new fax”, “(1) new document” or similar. Occasionally you’ll also see a version claming you have “(1) new voicemail” that is the same kind of phish, just a slightly different tactic. You are often invited to click on an attacment, usually .eml or .htm (or even .html, but that’s rarer), which will lead you to a page with a blurred document and a login prompt for Office365. The blurry document is why I’ve named this phish the way I have. Sometimes you are directed to enter your login credentials without going to a URL on the internet, but often the attachment directs you to a URL.

Once you enter your credentials, it doesn’t bring you to a document, but instead to some kind of landing page that has nothing to do with the item you were supposed to see or hear.

Nowadays, you’ll often see a request to clear a captcha - often a cloudflare “prove that you’re human” - to prevent automated sandboxes from seeing the fake login site.

How to protect yourself
When you see these, do the standard things you should always do with an email. Does the sender make sense (for example, Microsoft is not likely to be sending notifications from “Microsoft 365 notifications <itoj@gonezilard.co[.]jq>”)? If it’s a person you know/work with, does it make sense for that person to be sending you this? If not, don’t open the attachment, delete and ignore. If your organization has a place to report suspicious emails, send it on to them.

If you’ve opened the attachment (or clicked on the link in the version with no attachments), it’s not great but not the end of the world. Usually, these people are trying to get your credentials, so you don’t often see malware in this kind of attack. The next step is to see where you’ve landed. Does the address - the URL - look like it’s someplace where you’d expect to enter your username and password? If no, close it and go on with your day.

If you have entered your credentials and then realize what you’ve done, the best thing is to first notify your IT folks and then reset your password.