Windows Analysis Report
phish_alert_iocp_v1.4.48 - 2024-12-27T140703.193.eml

{
    "explanation": [
        "The URL contains multiple redirects and suspicious domains (clicktime.cloud.postoffice.net) masking the final destination",
        "The email claims to be from Fiserv but uses an unusual redirect chain instead of a direct Fiserv domain link",
        "Password reset emails that use third-party redirect services are a common phishing tactic"
    ],
    "phishing": true,
    "confidence": 9,
    "generated_by_ai": false
}

{
    "date": "Fri, 27 Dec 2024 04:17:00 -0800", 
    "subject": "Device Manager Password Reset Link", 
    "communications": [
        "[EXTERNAL EMAIL: Take caution with links and attachments. ] \n\n\n\nA password reset was requested for your Device Manager login. If you did not request it, it is safe to ignore this email. \n\nOtherwise, click this link to reset your password:\nhttps://clicktime.cloud.postoffice.net/clicktime.php?U=https://csdmap.onefiserv.net/DeviceManager/auth/reset_password%3Ftoken%3D2LH1F5Zp7hTOum2oriAMP_nZvZ4%3D&E=cgarlich%40firstfedweb.com&X=XID838CLAmRc9677Xd2&T=FF1001&HV=U,E,X,T&H=05e50c019d6b37b95f6f97e83ad5b7d9a0a10e56 \n\n"
    ], 
    "from": "\"DeviceManager@fiserv.com\" <DeviceManager@fiserv.com>", 
    "to": "Cale Garlich <CGarlich@firstfedweb.com>", 
    "attachements": []
}

{
  "contains_trigger_text": true,
  "trigger_text": "EXTERNAL EMAIL: Take caution with links and attachments",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": "unknown"
}

{"classification":"Credential Stealer"}

Email:
Detected potential phishing email: The URL contains multiple redirects and suspicious domains (clicktime.cloud.postoffice.net) masking the final destination. The email claims to be from Fiserv but uses an unusual redirect chain instead of a direct Fiserv domain link. Password reset emails that use third-party redirect services are a common phishing tactic

{
    "risk_score": 4,
    "reasoning": "The script appears to be a part of a security feature that checks the safety of a URL before redirecting the user. While it uses some external data transmission and legacy practices, the overall intent seems to be legitimate. However, the use of obfuscated URLs and the potential for data exfiltration requires further review."
}

             /* Initialize these variables from PHP */
             var pageState = {
                 // Configured constants
                 urlStatusURI: "\/rest\/FF1001\/v3\/urlstatus?U=https:\/\/csdmap.onefiserv.net\/DeviceManager\/auth\/reset_password%3Ftoken%3D2LH1F5Zp7hTOum2oriAMP_nZvZ4%3D&E=cgarlich%40firstfedweb.com&X=XID838CLAmRc9677Xd2&T=FF1001&HV=U,E,X,T&H=05e50c019d6b37b95f6f97e83ad5b7d9a0a10e56&CK=CKCLAwJH67515673408c&resubmit=N",
                 urlStatusRefresh: 2,
                 urlWarnRefresh: 10,
                 tapName: "Targeted Attack Protection",
                 browserActionsV3URI: "\/rest\/FF1001\/v3\/browseractions",

                 // Instance-specific values
                 clickID: "CKCLAwJH67515673408c",
                 url: "https:\/\/csdmap.onefiserv.net\/DeviceManager\/auth\/reset_password?token=2LH1F5Zp7hTOum2oriAMP_nZvZ4=",
                 clickThroughUrl: "https:\/\/clicktime.cloud.postoffice.net\/clicktime.php?U=https:\/\/csdmap.onefiserv.net\/DeviceManager\/auth\/reset_password%3Ftoken%3D2LH1F5Zp7hTOum2oriAMP_nZvZ4%3D&E=cgarlich%40firstfedweb.com&X=XID838CLAmRc9677Xd2&T=FF1001&HV=U,E,X,T&H=05e50c019d6b37b95f6f97e83ad5b7d9a0a10e56&C=Y",
                 logoUrl: "https:\/\/cloud.postoffice.net\/dynamic_logo\/tag\/FF1001",

                 // Customer controls
                 urlStatusTimeout: 2,
                 tapWaitTimeExceededAction: "pass",
                 tapVerdictSuspect: "block",
                 tapVerdictMalicious: "block",
                 tapInPhishingEnabled: "Y",
                 // tapTextColor: "#FFFFFF",
                 // tapBackgroundColor: "#428BCA",

                 // Customer-defined text
                 tapCheckingText: "<p>Please wait while Targeted Attack Protection checks this URL for threats.<\/p><p>For additional information, please contact your IT administrator.<\/p>",
                 tapRedirectText: "<p>Targeted Attack Protection has not detected any threats.<\/p><p>Redirecting to the link.<\/p>",
                 tapTimeoutText: "<p>Targeted Attack Protection has not detected any threats.<\/p><p>Redirecting to the link.<\/p>",
                 tapSuspectText: "<p>Warning \u2014 You are not permitted to access this website.<\/p><p>Targeted Attack Protection suspects that this page contains a threat.<\/p>{{>tapResults}}<p>For additional information, please contact your IT administrator.<\/p>",
                 tapMaliciousText: "<p>Warning \u2014 You are not permitted to access this website.<\/p><p>Targeted Attack Protection has determined that this page contains a threat.<\/p>{{>tapResults}}<p>For additional information, please contact your IT administrator.<\/p>",

                 // Initial page state
                 pageType: "checking",
                 errorMessage: "",
                 tapScore: "unknown",
                 tapThreatName: "",
                 tapThreatReason: "",
                 tapThreatClass: "",
                 previewPage: false,

                 startTimestamp: Date.now(),
                 isRedirect: false,
                 pollingStatusDisplay: {'static': '', 'dynamic': '', 'inDepth': ''}
             };
            

{
    "risk_score": 2,
    "reasoning": "This script checks if the jQuery library is available and, if not, dynamically loads the jQuery library from a local path. This is a common practice for ensuring the availability of a required library and does not exhibit any high-risk behaviors."
}

         if (typeof jQuery === 'undefined') {
             document.write(unescape('%3Cscript%20src%3D%22/js/jquery-1.11.3.min.js%22%3E%3C/script%3E'));
         }
        

{
    "risk_score": 3,
    "reasoning": "This script checks if the Mustache library is available, and if not, it dynamically loads the Mustache library from a local path. This is a common practice for ensuring the availability of required dependencies and is not inherently malicious. The script does not exhibit any high-risk behaviors, and the use of `document.write` is a low-risk indicator. Overall, this script appears to be a legitimate implementation of a common web development practice."
}

         if (typeof Mustache === 'undefined') {
             document.write(unescape('%3Cscript%20src%3D%22/js/mustache-2.1.3.min.js%22%3E%3C/script%3E'));
         }
        

{
    "risk_score": 1,
    "reasoning": "The provided code appears to be the minified version of the jQuery library, which is a widely used and trusted JavaScript library. It does not contain any high-risk indicators, such as dynamic code execution, data exfiltration, or redirects to malicious domains. The code is primarily focused on providing a set of utility functions and DOM manipulation capabilities, which are common in legitimate web development frameworks. Overall, this script is considered low risk."
}

/*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.3",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||m.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)||(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray||function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==m.type(a)||a.nodeType||m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b||j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.ca

{
    "risk_score": 6,
    "reasoning": "The provided JavaScript code contains a mix of low-risk and medium-risk indicators. While it includes some legacy practices and tracking behavior, it also demonstrates external data transmission and the use of fallback domains, which pose moderate risks. Additionally, the code appears to handle sensitive user data and redirect logic, which requires further review. Overall, the script exhibits behaviors that warrant a medium-risk assessment."
}

// In case the browser doesn't have Date.now (IE8 and earlier)
if (!Date.now) {
    Date.now = function() {
        return new Date().getTime();
    }
}

// For IE9
//(function(){ window.console = window.console || { log: function(){} } }());

// Polling status code mapped with display string
POLLING_STATUS_DISPLAY_MAPPING = {
    0: {    // Pending
        'icon': '',
        'text': '<h3>&lt; Pending &gt;</h3>'
    },      // In Progress
    1: {
        'icon': '<img class="polling-status-icon" src="images/loading.gif">',
        'text': '<h3>&lt; In Progress &gt;</h3>'
    },      // Unknown verdict
    2: {
        'icon': '<img class="polling-status-icon" src="images/tick.png">',
        'text': '<h3 style="color:#7FF337;">Nothing Found</h3>'
    },      // Suspect verdict
    3: {
        'icon': '<img class="polling-status-icon" src="images/alert.svg">',
        'text': '<h3 style="color:#ffcc33;">Suspicious</h3>'
    },      // Suspect in Progress
    4: {
        'icon': '<img class="polling-status-icon" src="images/loading.gif">',
        'text': '<h3 style="color:#ffcc33;">&lt; Suspicious &gt;</h3>'
    }, 
};

// props stores all the Mustache logic states that renders the content of the page 
var props = {
    /* Mustache-related parameters */
    layout: "", 
    data: {
        reportError: false,
        checking: false,
        proceed: false,
        summaryTitle: "",
        tapThreat: "",
        showTapThreatText: false,
        disclaimer: "",
        buttonGroup: false,
        closeButton: false,
        proceedButton: false,
        closeButtonText: "Cancel",
        proceedButtonText: "Proceed to URL",
        customerInfo: "",
        pollingStatus: false,
        closeButtonConfirm: "showConfirm();"
    },
    partials: {
        disclaimer: "",
        tapThreatText: "",
        tapResults: "",
        messageText: ""
    }
}

function showConfirm() {
    if (confirm("Are you sure to abort and close the window?"))
        window.close();
}

function redisplay() {

    // Update customer info for display
    if (pageState.tapWaitTimeExceededAction == "pass") {
        props.data.customerInfo = '<h3>You will be redirected in ' + pageState.urlStatusTimeout +
            ' seconds or once the scans complete.</h3>';
    } else if (pageState.tapWaitTimeExceededAction == "warn") {
        props.data.customerInfo = '<h3>You will be able to proceed in ' + pageState.urlStatusTimeout + ' seconds.\
</h3><h3 style="color: #ffcc33;">You are advised to wait for the scans to complete\
 or proceed with caution.</h3>';
    }

    if (pageState.previewPage === true) {
        document.getElementById("watermark-text-black").style.visibility = "visible";
        document.getElementById("watermark-text-white").style.visibility = "visible";
    }

    /*
     *  pageType can be one of:
     *  'error': to display an error page
     *  'checking': display a spinner and a "checking..." page, then recheck
     *  'timeout': Timeout Redirect page (if tapWaitTimeExceededAction is pass)
     *             or Timeout Warning page (if tapWaitTimeExceededAction is warn)
     *  'redirect': to redirect directly to the URL
     *  'result': displaying a warning (proceed=true) or block page (proceed=false)
     */

    // If we have a result, see what the customer wants to do about it.
    if (pageState.pageType == "result") {
        /* Display TAP Results by default */
        pageState.pageType = "result";

        /* If Voodoo phishing is disabled ("N") or unspecified (""), ignore a Credential Phishing threat. */
        if (pageState.tapInPhishingEnabled != "Y") {
            if (pageState.tapScore == "suspect" || pageState.tapScore == "threat") {
                tapThreat = pageState.tapThreatName.split(":");
                if (tapThreat[0] == "Credential Phishing") {
                    pageState.tapScore = "ok";
                }
            }
        }

        switch (pageState.tapScore) {
            case "suspect":
        

{
    "risk_score": 2,
    "reasoning": "The provided JavaScript snippet appears to be a part of the Mustache templating library, which is a widely used and trusted library for client-side templating. The code does not contain any high-risk indicators, such as dynamic code execution, data exfiltration, or redirects to malicious domains. The code is primarily focused on parsing and processing Mustache templates, which is a legitimate use case. While the code uses some legacy practices like `XDomainRequest`, these pose minor risks and are not inherently malicious. Overall, the script seems to be a benign implementation of the Mustache library."
}

(function defineMustache(global,factory){if(typeof exports==="object"&&exports&&typeof exports.nodeName!=="string"){factory(exports)}else if(typeof define==="function"&&define.amd){define(["exports"],factory)}else{global.Mustache={};factory(Mustache)}})(this,function mustacheFactory(mustache){var objectToString=Object.prototype.toString;var isArray=Array.isArray||function isArrayPolyfill(object){return objectToString.call(object)==="[object Array]"};function isFunction(object){return typeof object==="function"}function typeStr(obj){return isArray(obj)?"array":typeof obj}function escapeRegExp(string){return string.replace(/[\-\[\]{}()*+?.,\\\^$|#\s]/g,"\\$&")}function hasProperty(obj,propName){return obj!=null&&typeof obj==="object"&&propName in obj}var regExpTest=RegExp.prototype.test;function testRegExp(re,string){return regExpTest.call(re,string)}var nonSpaceRe=/\S/;function isWhitespace(string){return!testRegExp(nonSpaceRe,string)}var entityMap={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;","/":"&#x2F;"};function escapeHtml(string){return String(string).replace(/[&<>"'\/]/g,function fromEntityMap(s){return entityMap[s]})}var whiteRe=/\s*/;var spaceRe=/\s+/;var equalsRe=/\s*=/;var curlyRe=/\s*\}/;var tagRe=/#|\^|\/|>|\{|&|=|!/;function parseTemplate(template,tags){if(!template)return[];var sections=[];var tokens=[];var spaces=[];var hasTag=false;var nonSpace=false;function stripSpace(){if(hasTag&&!nonSpace){while(spaces.length)delete tokens[spaces.pop()]}else{spaces=[]}hasTag=false;nonSpace=false}var openingTagRe,closingTagRe,closingCurlyRe;function compileTags(tagsToCompile){if(typeof tagsToCompile==="string")tagsToCompile=tagsToCompile.split(spaceRe,2);if(!isArray(tagsToCompile)||tagsToCompile.length!==2)throw new Error("Invalid tags: "+tagsToCompile);openingTagRe=new RegExp(escapeRegExp(tagsToCompile[0])+"\\s*");closingTagRe=new RegExp("\\s*"+escapeRegExp(tagsToCompile[1]));closingCurlyRe=new RegExp("\\s*"+escapeRegExp("}"+tagsToCompile[1]))}compileTags(tags||mustache.tags);var scanner=new Scanner(template);var start,type,value,chr,token,openSection;while(!scanner.eos()){start=scanner.pos;value=scanner.scanUntil(openingTagRe);if(value){for(var i=0,valueLength=value.length;i<valueLength;++i){chr=value.charAt(i);if(isWhitespace(chr)){spaces.push(tokens.length)}else{nonSpace=true}tokens.push(["text",chr,start,start+1]);start+=1;if(chr==="\n")stripSpace()}}if(!scanner.scan(openingTagRe))break;hasTag=true;type=scanner.scan(tagRe)||"name";scanner.scan(whiteRe);if(type==="="){value=scanner.scanUntil(equalsRe);scanner.scan(equalsRe);scanner.scanUntil(closingTagRe)}else if(type==="{"){value=scanner.scanUntil(closingCurlyRe);scanner.scan(curlyRe);scanner.scanUntil(closingTagRe);type="&"}else{value=scanner.scanUntil(closingTagRe)}if(!scanner.scan(closingTagRe))throw new Error("Unclosed tag at "+scanner.pos);token=[type,value,start,scanner.pos];tokens.push(token);if(type==="#"||type==="^"){sections.push(token)}else if(type==="/"){openSection=sections.pop();if(!openSection)throw new Error('Unopened section "'+value+'" at '+start);if(openSection[1]!==value)throw new Error('Unclosed section "'+openSection[1]+'" at '+start)}else if(type==="name"||type==="{"||type==="&"){nonSpace=true}else if(type==="="){compileTags(value)}}openSection=sections.pop();if(openSection)throw new Error('Unclosed section "'+openSection[1]+'" at '+scanner.pos);return nestTokens(squashTokens(tokens))}function squashTokens(tokens){var squashedTokens=[];var token,lastToken;for(var i=0,numTokens=tokens.length;i<numTokens;++i){token=tokens[i];if(token){if(token[0]==="text"&&lastToken&&lastToken[0]==="text"){lastToken[1]+=token[1];lastToken[3]=token[3]}else{squashedTokens.push(token);lastToken=token}}}return squashedTokens}function nestTokens(tokens){var nestedTokens=[];var collector=nestedTokens;var sections=[];var token,section;for(var i=0,numTokens=tokens.length;i<numTokens;++i){token=tokens[i];switch(token[0]){case"#":case"^":collector.push(token);section

{
  "contains_trigger_text": true,
  "trigger_text": "Scanning URL for Threats...",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": true,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": true,
    "third_party_hosting": true
}

URL: https://clicktime.cloud.postoffice.net

{
  "brands": [
    "SilverSky"
  ]
}

{
  "contains_trigger_text": true,
  "trigger_text": "No Threats Detected",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Silversky"
  ]
}