An unusual new phishing campaign is probing email inboxes via attacks using the targets' company-branded Microsoft 365 tenant login pages to add more legitimacy to the scam.
The attackers are also using Microsoft's Azure Blob Storage and Microsoft Azure Web Sites cloud storage solutions to host their phishing landing pages, a common tactic used by phishers to trick their targets into thinking that they're seeing an official Microsoft login page.
Using Azure Blob Storage object storage solution [1, 2] to host their phishing pages allows them to take advantage of the fact that they will automatically get signed with an SSL certificate from Microsoft.
This makes this hosting method ideal for directly targeting users of Microsoft services and trying to steal their Office 365, Azure AD, Outlook, and Microsoft account credentials using highly convincing Microsoft login pages.
Automated scraping of company-branded resources
"[The campaign] utilizes a novel method of scraping organizations’ branded Microsoft 365 tenant login pages to produce highly convincing credential harvesting pages," detail researchers part of Rapid7’s Managed Detection and Response (MDR) services team.
They spotted the coordinated phishing attacks in mid-July after analyzing an incident affecting one of their customers and discovered that threat actors behind them go the extra mile by adding an automated email check for each of the potential targets.
Phishing email sample
The potential victims' emails are checked against huge lists of validated email addresses before redirecting them to the phishing forms, which allows the crooks to scrape their targets' company-branded tenant login pages containing custom backgrounds and banner logos, and have them "dynamically inserted into the phishing la ..
Support the originator by clicking the read the rest link below.
