The initial Document sent by the phishing attempt was a Microsoft Word attachment. In this picture, you are seeing the default message that will be displayed when opening the Microsoft Word document.
The second message received by the host is a Microsoft Word message explaining the save button in Microsoft Word. After clicking on the save button, the host will have to provide a username and password to continue the download. The following image depicts the save button that was used.
Once a user clicks on "Yes" button, the host will be redirected to a temporary page to download the document. Once the document is in place, it will be possible to open it. This is the message that will be displayed after that.
You can see above that the host's computer name is reflected on the navigation bar of the service tool. This allows the attacker to see which host's computer it is being accessed from. This information could be useful in an advanced attack. d2c66b5586