A recent phishing attack targeting users of the Microsoft 365 authentication system has been uncovered by email security and threat detection service provider, Vade. The attack involves the use of a harmful HTML attachment with JavaScript code, which is designed to collect the recipient’s email address and modify the page using data from a callback function’s variable.
Researchers from Vade’s Threat Intelligence and Response Center (TIRC) decoded a base64-encoded string related to Microsoft 365 phishing attacks when analyzing a malicious domain. They discovered that requests for phishing applications were being made to a domain called “eevilcorponline.” The source code of the domain found through periodic-checkerglitchme was similar to the HTML file attached in the phishing email, suggesting that the phishers are using glitch.me to host their malicious HTML pages.
Glitch.me is a platform that allows users to create and host web applications and websites. However, in this case, it is being exploited by cybercriminals to host domains involved in the ongoing Microsoft 365 phishing scam.
The attack starts when a victim receives an email with a malicious HTML file as an attachment. When the file is opened, a phishing page pretending to be a Microsoft 365 login page is launched in the victim’s web browser. On this deceptive page, the victim is prompted to enter their credentials, which are then collected by the attackers for malicious purposes.
The widespread adoption of Microsoft 365 in the business community makes it highly likely that the compromised accounts belong to corporate users. If the attackers gain access to these credentials, they could potentially acquire sensitive business and trade information.
Furthermore, Vade’s researchers have also discovered a phishing attack involving a spoofed version of Adobe. The malicious “eevilcorp” domain returns an authentication page related to an application called Hawkeye. It is important to note that the original Hawkeye keylogger has been classified as a malware kit that emerged in 2013, and subsequent versions have appeared over time. Although researchers were unable to establish a direct connection between the authentication page and the HawkEye keylogger, this information adds context to the attack.
The identified indicators of compromise in this attack include domains such as periodic-checkerglitchme, scan-verifiedglitchme, transfer-withglitchme, air-droppedglitchme, precise-shareglitchme, monthly-payment-invoiceglitchme, monthly-report-checkglitchme, eevilcorponline, and ultimotemporeonline.
To prevent falling victim to a Microsoft 365 phishing scam, users are advised to exercise caution and follow these steps:
1. Check the email sender: Be wary of emails claiming to be from Microsoft 365 that are sent from suspicious or unfamiliar email addresses. Verify the sender’s email address to ensure it matches the official Microsoft domain.
2. Look for generic greetings: Phishing emails often use generic greetings like “Dear User” instead of addressing you by name. Legitimate Microsoft emails usually address you by your name or username.
3. Analyze email content and formatting: Pay attention to spelling and grammar mistakes, as well as poor formatting. Phishing emails often contain errors that legitimate communications from Microsoft would not have.
4. Hover over links: Before clicking on any links in the email, hover your mouse cursor over them to see the actual URL. If the link’s destination looks suspicious or differs from official Microsoft domains, do not click on it.
5. Be cautious of urgent requests: Phishing emails often create a sense of urgency, pressuring you to take immediate action. Beware of emails that claim your Microsoft 365 account is at risk or require urgent verification of personal information.
If you suspect an email to be a phishing scam, it’s best to err on the side of caution. Report any suspicious emails to Microsoft and avoid providing personal or sensitive information unless you can verify the legitimacy of the request through official channels.
In conclusion, this phishing attack targeting Microsoft 365 users highlights the importance of remaining vigilant and following the recommended security precautions. Cybercriminals are continuously evolving their tactics to deceive users, making it crucial for individuals and organizations to stay informed and take proactive measures to protect their sensitive information.