The xlsb mail attachment contacts a url and downloads the malware from an opendir, which also contains Ursnif/Gozi and is constantly updated.
Tecnica analysis by the Malware Hunter JAMESWT
Quarantined emails are the latest phishing bait. Global campaign targeting a fake webmail site. Objective: to steal the credentials of the victims
Some fake quarantined emails are the latest bait in a global cybercrime phishing campaign.
The message contains links that direct the alleged victim to a fake webmail login page, where the message “your session cookie is invalid. Please try agaian”.
By entering your e-mail address and password, the message will repeat itself indefinitely. In the meantime, however, the credentials will be stolen by the cybercrime actors behind the campaign. The bait messages, however, vary the number of emails that are theoretically in quarantine.