In this blog post, Rapid7’s Managed Detection and Response (MDR) services team outlines a unique phishing campaign that utilizes a novel method of scraping organizations’ branded Microsoft 365 tenant login pages to produce highly convincing credential harvesting pages. This blog post was co-authored by Lonnie Best and Andrew Christian.
In mid-July 2019, Rapid7’s MDR service responded to a phishing attack against several users in a customer environment. The phishing emails that led to the initial investigation appeared as follows:
Upon investigation into what looked to be a rather normal phishing attempt, the attack quickly appeared to be very targeted. Typical phishing attacks attempting to gather credentials from Microsoft Office 365 users utilize fake “login” pages bearing prototypical Office 365 images and logos (often pulled directly from Microsoft hosting). However, the login page in this instance, while being hosted on legitimate Microsoft infrastructure (using the blob.core.windows[.]net and azurewebsites[.]net domains, which is not uncommon in phishing campaigns as of late), bore a background image and banner logo matching those of the target organization’s Office 365 tenant login page (not displayed here due to confidentiality concerns).
Rapid7 MDR analysts identified calls to the domain xeroxprofessionalsbusiness[.]vip during the phishing routine, which appeared to run a check of the targeted user against a predetermined list, leading to further examination of the attacker’s infrastructure. There, we identified a listing of PHP files and corresponding text files in corresponding and ascending order appended with digits 1 through 10 (e.g., chekeml#.php and valid#.txt, where # is a number between 1 and 10).On July 17, 2019, the number of chekeml#.php and valid#.txt file pairs increased from 10 to 20.
The ..
Support the originator by clicking the read the rest link below.
