[BreachExchange] Microsoft warns of a Widespread Phishing Campaign to Steal Login Credentials

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Mon Aug 30 09:16:30 EDT 2021


https://gbhackers.com/widespread-phishing-campaign/

The security researchers of Microsoft have reported about a new phishing
campaign that they have detected recently, and they have also claimed that
this campaign is quite big and is stealing the login credentials.

After detecting this phishing campaign, soon the experts initiated the
investigation, however, they declared that this campaign attaches the open
redirector links in the email communications that behave as a vector.

However, the main motive of using such vectors is to trick users into
visiting malicious websites so that the threat actors can bypass the
security software effectively.

Credential phishing via open redirector links

The threat actors are targeting the login credentials in this phishing
attack, and the credentials phishing emails generally signify a remarkably
widespread way for threat actors to obtain a space in a network.

This type of phishing attack proceeds to develop as an aggressive attack
vector and it has a specific goal that is to harvest user credentials.

But, this is not the first time when Microsoft encountered such an attack,
as per the report of 2020 Digital Defense, they have blocked over 13
billion malicious and unusual mails, and among them, there were 1 billion
of those emails that are distributed as URL-based phishing threats.

Redirecting to phishing pages

Once the user clicks the custom-built redirect links that are specifically
sent to a page in attacker-owned infrastructure. This kind of page
generally uses Google reCAPTCHA services to likely circumvent attempts at
dynamically browsing and checking the contents of the page.

Not only this it’s also used for blocking some interpretation systems from
launching to the actual phishing page that has been created by the threat
actors.

Once the user is done with the CAPTCHA verification, the user has displayed
a site that imitates a legitimate service, like Microsoft Office 365.

The sites generally ask the user for their password, then the passwords are
being asked for twice, and after giving it the threat actors enter the
system.

Moreover, the threat actors also send unique URLs to each beneficiary with
PHP parameters that create simple information to execute on the phishing
page.

Domains used

   - c-tl[.]xyz
   - a-cl[.]xyz
   - j-on[.]xyz
   - p-at[.]club
   - i-at[.]club
   - f-io[.]online

Characteristics of the domains used

   - Free email domains
   - Compromised legitimate domains
   - Domains ending in .co.jp
   - Attacker-owned DGA domains

Variety of ccTLDs used

   - de
   - com.mx
   - com.au
   - ca

Microsoft Defender for Office 365 protects against modern email threats

However, this kind of threat was being detected by the security analysts,
that’s why Microsoft is keeping a constant check on this kind of situation.

This type of attack is quite unsudden that makes a huge impact on the
network, thus Microsoft has suggested some mitigations toward the
exploitation of open redirector links by known third-party platforms or
assistance.

The Microsoft defender for office 365 has also recommended some mitigation
for this phishing attack, and here they are:-

   - Apply anti-phishing
   - Safe Links
   - Safe Attachments policies

They also recommend installing the Report Message add-in for Outlook as it
will allow the users to report questionable messages to their protection
teams and also to Microsoft.

This type of phishing campaign generally puts a lot of pressure and hampers
the network services very badly, that’s why the users are suggested to
apply the recommendation and follow them carefully.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210830/17ba0a06/attachment.html>


More information about the BreachExchange mailing list