Aug 16, 2020
Vairav Technology has uncovered a Microsoft office365 phishing campaign using a spoofed email address and has targeted more than 600+ organizations worldwide.
We have been monitoring the various cyber threats involving Nepal, as being targeted to become a victim of a phishing email or using a Nepali domain for hosting phishing sites. But this time we have discovered a massive phishing campaign not only targeting Nepali Banking and Finance Institution but also Fortune 500 companies, Government Agency and Financial Institutions all over the world.
In this blog, we explore the ongoing phishing campaign that has been targeting Microsoft Office 365 users.
This phishing campaign can be summarized as follows:
Before diving into the details about the phishing campaign, it is important to note two things.
First, this recent version of this stealth campaign targeted corporate and big financial users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud service providers. Second, this attack is not exactly a new type of but massive campaign
Still, this phishing technique is worth highlighting because the resulting compromise is quite persistent and sophisticated, and it seems likely we will see this type of approach will be exploited more frequently in the future.
The email was fabricated as a password reset for Office365, pointing email link to spoofed and company-specific, Office 365 sign-in page which appeared so realistic that users would get trapped and ultimately followed by credential theft.
We analyze the malicious URL that was embedded in the email was redirecting to multiple phishing pages (please find the page link in the IOC sections) with Microsoft Office365 theme.
Initially, the phishing page alerts the “Incorrect Password” and re-entering the password will further redirect to Microsoft Office official website which is encoded in base64. The messages are encoded with base64 algorithm, which decrypts to basic information.
Retrieving headers of crafted links, we get status code 302 which indicates that the resource requested has been temporarily moved to the URL given by the Location header poisoning the .htaccess, a service provided by Apache server, which is in fact a popular technique for phishing the targets. In this case:
[removed] / //hXXps://mgwproductions.com/meh/?08909598527009&email=/
Moreover, submission of the IP address to VirusTotal reveals, there are 180 domains (till now) related to IP address with familiar pattern ‘that includes signature letter sg’ in front of the targeted organization name.
We have recorded 600+ redirecting subdomains from 42 compromised websites targeting companies such as Nestle, Microsoft, Coca-Cola and many other Government Agency, F&B, Health Technology, Financial technology, Banking and Financial Institution, Consumer Product, Medical and Device Manufacturer, Country Council, IT Service Provider, Oil and Gas, Media, E commerce, national laboratory (nuclear energy research and development), business process outsourcing, Media House, Education Technology.
Hunting down the compromised websites, we too found an opendir (Open Directory) that contains the .zip file that is in fact the phish kit. The kit included the mass mailer web application written in PHP that is suspected to be used in this campaign.
Since the campaign is ongoing and has been targeting multiple organizations and the cyber adversaries are using compromised websites. In order to minimize the impact of the phishing campaigns used by these malicious actors, the IP addresses or URL from the following indicator of compromise needs to be blocked.