Scammers create highly convincing harvesting pages by scraping organizations’ branded Microsoft 365 tenant login pages.
Operators behind the phishing scam are using Microsoft's Azure Blob Storage and Microsoft Azure Web Sites cloud storage solutions to host their phishing landing pages.
What’s the matter?
Researchers from Rapid7 observed a new phishing attack campaign that uses fake Microsoft login pages to harvest Microsoft users’ Office 365, Azure AD, and Outlook account credentials.
The big picture
Operators behind the phishing scam are using Microsoft's Azure Blob Storage and Microsoft Azure Web Sites cloud storage solutions to host their phishing landing pages, in order to deceive the targets that they’re redirected to a Microsoft login page.
Using Azure Blob Storage object storage solutions to host their phishing pages also enables them to automatically get signed in with an SSL certificate from Microsoft.
Researchers noted that these scammers create highly convincing harvesting pages by scraping organizations’ branded Microsoft 365 tenant login pages.
This allows the crooks to have the target company’s logo and branded background added to their phishing landing pages.
The attackers also add an automated email check for the organization’s users.
Therefore, the potential target's emails are checked against huge lists of validated email addresses before redirecting them to the phishing forms.
Ongoing campaign
In case the target organization does not have a custom branded tenant page, then scammers leverage a phishing kit to use the default Office 365 background image.
Researchers uncovered that one such phishing kit is still hosted on the xeroxprofessionalsbusiness[.]vip domain.
Researchers analyzed the domain and determined that the domain was registered in November 2018 and was updated on July 24, 2019, with the hosting being provided by a Lithuanian provider.
The server timestamps for the lists of validated e ..
Support the originator by clicking the read the rest link below.
