- Scammers create highly convincing harvesting pages by scraping organizations’ branded Microsoft 365 tenant login pages.
- Operators behind the phishing scam are using Microsoft's Azure Blob Storage and Microsoft Azure Web Sites cloud storage solutions to host their phishing landing pages.
What’s the matter?
Researchers from Rapid7 observed a new phishing attack campaign that uses fake Microsoft login pages to harvest Microsoft users’ Office 365, Azure AD, and Outlook account credentials.
The big picture
Operators behind the phishing scam are using Microsoft's Azure Blob Storage and Microsoft Azure Web Sites cloud storage solutions to host their phishing landing pages, in order to deceive the targets that they’re redirected to a Microsoft login page.
Using Azure Blob Storage object storage solutions to host their phishing pages also enables them to automatically get signed in with an SSL certificate from Microsoft.
- Researchers noted that these scammers create highly convincing harvesting pages by scraping organizations’ branded Microsoft 365 tenant login pages.
- This allows the crooks to have the target company’s logo and branded background added to their phishing landing pages.
- The attackers also add an automated email check for the organization’s users.
- Therefore, the potential target's emails are checked against huge lists of validated email addresses before redirecting them to the phishing forms.
In case the target organization does not have a custom branded tenant page, then scammers leverage a phishing kit to use the default Office 365 background image.
- Researchers uncovered that one such phishing kit is still hosted on the xeroxprofessionalsbusiness[.]vip domain.
- Researchers analyzed the domain and determined that the domain was registered in November 2018 and was updated on July 24, 2019, with the hosting being provided by a Lithuanian provider.
- The server timestamps for the lists of validated email addresses used in this campaign still also hinted that it is being actively updated on a daily basis.
“Further examination of the domains included in the validated email addresses points to a phishing campaign at least initially targeting a spectrum of industry verticals, including financial, insurance, medical, telecom, and energy,” researchers said in a blog.
Microsoft Office 365 users should implement the following measures to stay protected against such phishing campaigns:
- Organizations should enable multi-factor authentication via Office 365 or a third-party solution for all employees.
- Organizations should provide phishing awareness training programs for employees to identify and report phishing attempts.