Found in Environments Protected By:
Microsoft EOP and Proofpoint
By Jurielle Taca and Aloha Masbate, Cofense Phishing Defense Center
Threat actors have taken phishing to the next level by weaponizing custom Microsoft 365 applications to request sensitive information from users. This sneaky attempt from threat actors utilized a fake Microsoft password request email with an embedded link that presented the victim with a legitimate Microsoft 365 login page, but that’s just the bait. The legitimate login page grants permissions to access a custom Microsoft 365 application that the threat actor controls. Once the user accesses the custom application, they are redirected to the actual credential phishing page.
The Cofense Phishing Defense Center (PDC) has discovered a phishing campaign that victimizes Microsoft users. This attack enables threat actors to harvest Microsoft user credentials by luring in users through a legitimate Microsoft URL as the infection.
Figure 1: Email Body
As shown in Figure 1, the attack begins with a suspicious email disguised as an Office 365 password reset request. The sender’s email address (staffupdates@safaricom.co.ke) does not match a real Microsoft domain. Furthermore, the sender’s display name and subject contained gibberish characters and misspellings. Notably, the email contains a link that leads to a legitimate Microsoft login page.
Figure 2: Legitimate Microsoft Login Page
At this point, the user is taken to a legitimate Microsoft authentication page, making the phishing attack more convincing. This campaign is different from the typical phishing campaigns wherein a fake Microsoft login page is sequenced upon clicking the URL in the email body.
Figure 3: A permission request from “Adobe Drive X”, a custom Microsoft 365 application controlled by the threat actor
After successfully authenticating, the user will then be prompted to grant permission to an application called “Adobe Drive X”. This is where the attack takes shape, disguising itself as a legitimate request from an Adobe product. The threat actor takes advantage of the user’s familiarity with both Microsoft and Adobe to make the phishing attack seem legitimate. The details provided state that the application will have access to the user’s email address and basic profile information, in which the user can either choose to “Accept” or “Cancel” depending on preference. Once the user selects an option, the user will then be redirected to a credential phishing page disguised as a fake Microsoft login page.
Figure 4: Phishing Page – Fake Microsoft Login
As seen in Figure 4, this credential phishing page is not hosted on a Microsoft domain (hxxps[:]//office[.]firmablesecuredirectory[.]com). The threat actor likely placed this credential phishing attempt after a legitimate Microsoft 365 login page to catch users off guard. Less vigilant users might not verify the URL for the second login page and become victims of the credential phishing attack.
Figure 5: URL Analysis using Google Chrome Developer Tools
Upon inspecting the network activity, the team was able to confirm malicious intent on the original login page. It had a malicious URL (hxxps[:]//fancy-bush-61e9sydgsyi29s[.]jennifer-may[.]workers[.]dev), which is embedded within the HTTP response, as illustrated in Figure 5. If one were to visit the URL mentioned above, the user would then be redirected back to the same fake Microsoft login page shown in Figure 4.
Conclusion
In conclusion, threat actors are continuously adapting to bypass security measures and even utilize legitimate services in delivering cyber-attacks. Phishing campaigns will continue to be deceptive and trick users into revealing sensitive information. It is crucial to remain vigilant and verify the authenticity of any unsolicited communications to protect against such threats.
Indicators of Compromise | IP |
hxxps[:]//office[.]firmablesecuredirectory[.]com/Zgzafzgx | 172.67.169.30 |
hxxps[:]//react[.]firmablesecuredirectory[.]com/login | 172.67.169.30 |
hxxps[:]//ywnjb[.]firmablesecuredirectory[.]com/Me[.]htm?v=3 | 172.67.169.30 |
hxxps[:]//fancy-bush-61e9sydgsyi29s[.]jennifer-may[.]workers[.]dev | 104.21.27.106 |
All third-party trademarks referenced by Cofense, whether in logo form, name form, product form, or otherwise, remain the property of their respective holders, and the use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of endpoint protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.