Spot the fake: copies of victim's corporate Microsoft 365 page used in attacks

News by Rene Millman

Azure Blob Storage and Web Sites misused by scammers to create a semi-targeted and rather convincing credential harvesting page tailored to the user's organisation to fool users

A new phishing campaign has been discovered that copies a victim’s company’s Microsoft 365 page and uses Microsoft's Azure Blob Storage and Microsoft Azure Web Sites to trick users into revealing personal information.

According to researchers at Rapid7, such attack styles have been growing in popularity. Using Azure means that phishers automatically get their web pages signed by Microsoft, making the page seem more legitimate to users. The users are then more likely to hand over their Microsoft account credentials.

In a blog post, researchers Lonnie Best and Andrew Christian said that the method of scraping organisations’ branded Microsoft 365 tenant login pages produced highly convincing credential harvesting pages.

The campaign was first spotted in the middle of July. The phishing campaign made calls to the domain xeroxprofessionalsbusiness[.]vip during the phishing routine, which appeared to run a check of the targeted user against a predetermined list, leading to further examination of the attacker’s infrastructure.

"Further examination of the domains included in the validated email addresses points to a phishing campaign at least initially targeting a spectrum of industry verticals, including financial, insurance, medical, telecom, and energy," said researchers.

"This put a dent in the initial speculation that the phishing emails were highly targeted, but led analysts to discover a seemingly new tactic in use by the attackers."

Phishers used a background image generated by running the phished user account against /api/back.php.

"This combines to create a semi-targeted and rather convincing credential harvesting page tailored to the user’s organisation. In the case that a validated organisation does not have a custom branded tenant page, the phishing kit is designed to utilise the default Office 365 background image," said researchers.

Researchers warned organisations to implement multi-factor authentication (either through Office 365 directly or via a third-party solution) and implementing structured user phishing awareness training programmes to equip users to spot and report phishing attempts.

Matt Aldridge, senior solutions architect at Webroot, told SC Media UK that there is an assumption amongst businesses that a cloud storage provider will provide all of the necessary security protection for the cloud-hosted services.

"Although many of the leading cloud service providers are beginning to build more comprehensive and advanced security offerings into their platforms (often as extra-cost options), cloud hosted services still require the same level of risk management, ongoing monitoring, upgrades, backups and maintenance as traditional infrastructure. Management access controls, multi-factor authentication, data encryption, backups and SOC monitoring of these platforms can sometimes be lacking, or not enabled or included as standard," he said.

Gemma Allen, cloud security solutions architect at Barracuda Networks, told SC Media UK that it’s not a case of the phishers "stealing" other users Azure Websites or Cloud Storage access. It’s a case of the phishers legitimately purchasing that feature from Microsoft and then using it to try to trick people.

"If you choose to deliver some of your web sites via Azure or provide your content from cloud based storage make sure you utilise the features of Azure that allow you to use "custom domains"," she said.

"If your users are trained to understand that your company will never link to anything not on the "company.com" domain then they are likely to spot these phishing attempts once educated on how to. Don’t be tempted to take the default options offered by Azure because they are "easier"/"quicker" as this will slowly train your users to think anything ending in "azure.websites.com" or "windows.net" is okay, spend the extra time and money enabling the features to make it easy for your customers or users to spot illegitimate emails.

"For example, Microsoft provide features to ensure your storage, websites or Azure AD uses "your" domain name."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews