In general, spammers will try everything and stop at nothing to deliver content to users. When people don't trust one kind of email, spammers change their tactics and use something else. This process never stops, and is very interesting to follow. It's interesting, at least, if we know we're being protected.

Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of malicious email messages linked to the Phoenix Exploit Kit. Websense customers are and have been protected by the real-time protection in our Advanced Classification Engine, ACE.

As we have seen during last couple of weeks, blended attacks are being used more than ever before. Earlier, we saw spammers enticing users to pharma spam, exploiting the death of a football player, and offering Evite invitations. This time, they are attempting to lure users with genuine-looking email attachments that, when opened, launch them into a redirection chain that ends up on a page containing the Phoenix Exploit Kit.

The emails contain only one or two sentences and a html attachment:

When the attachment is opened, the page that is displayed looks legitimate. In fact, the spammers copied content from several different vendors and brands, including XBox 360, Bank of America, and Twitter, as shown below:

Once opened, the obfuscated JavaScript kicks in and launches the user into the redirection chain that, as mentioned earlier, takes them to a page that contains the Phoenix Exploit Kit.