Menu
Gone phishing: the significant attacks Microsoft saw in 2019

Gone phishing: the significant attacks Microsoft saw in 2019

The attacks all leveraged the cloud to do their dirty work

Credit: Dreamstime

Microsoft research has revealed what it claims are the three most notable phishing attack techniques employed in 2019, with an anti-malware researcher referring to one of the  attacks as taking “impersonation to the next level". Here's how the attacks worked.

In common to all three techniques were the abuse of legitimate cloud services, including those from Microsoft, Google and Amazon, according to a blog post by Patrick Estavillo, senior anti-malware researcher at Microsoft. 

The attacks were found through the studying of Office 365 ATP signals, which Microsoft use in an attempt to understand attacker activity. 

Search result hijacking 

The first notable phishing campaign Microsoft picked up on was the utilisation of Google search results links to point towards an attacker-controlled page, which then redirected to a phishing page. 

In order to create enough traffic to make the redirector page the top result for specific keywords, traffic generators were used.

By doing this, phishers could send phishing emails that contained legitimate URLs containing a trusted URL. Example URLs listed on the blog included:

  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EhOJoXatrCPy%3C/a%3E
  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EyEg5xg1736iIgQVF%3C/a%3E

This was then combined with location-specific research results; European search results would lead to the redirector website c77684gq[.]beget[.]tech¸ which would then go to the phishing page, Meanwhile, non-European search results would turn up empty

This attack worked by ensuring c77684gq[.]beget[.]tech was the top result for the keyword “hOJoXatrCPy” from specific locations. To do this, the HTML code of the site contained a redirector script and anchor elements with the anchor elements designed to be crawled by search engines to establish results for the keyword, according to the blog.

Fake 404 pages

Another attack employed by fishers was the creation of custom 404 pages designed to look like the real Microsoft account log-in page.

As a non-existent URL for a website would generate a 404 page, Estavillo’s post claimed that phishers could generate a seemingly unlimited amount of random phishing URLs.

One example of this was to simply add a character at the end of a URL to create a second URL, both of which would direct users to the same phishing page. Examples of these included:

  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQ
  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQs

Other fake 404 URLs would include randomised domains, which would allow for the number of phishing URLs to increase “exponentially”. Examples of these included:

  • outlookloffice365usertcph4l3q[.]web[.]app
  • outlookloffice365userdqz75j6h[.]web[.]app
  • outlookloffice365usery6ykxo07[.]web[.]app 

Man-in-the-middle component

Impersonation is the key to phishing, and in Microsoft’s third noticeable example, Estavillo’s post claimed that phishers “took impersonation to the next level".

“Instead of attackers copying elements from the spoofed legitimate website, a man-in-the-middle component captured company-specific information like logos, banners, text, and background images from Microsoft’s rendering site,” he said.

This attack worked by phishers sending out emails with a URL pointing to an attack-controlled server, being the man-in-the-middle component, which pretended to act like Microsoft’s log-in pages.

The server was able to identify user-specific information based on the email address, which included their company, and then located information specific to the particular company.

Much like a typical log-on experience, the one URL was able to render differently for different users

“To generate legitimate-looking phishing sites, the server used the following code to retrieve the banner used by the target’s victim company as identified by the domain information in the email address; the response is the URL for the company banner,” Estavillo wrote.

“The server also retrieved the text used in the company’s sign-in page; the response is the actual text specific to the target victim’s company.

“To complete the legitimate-looking phishing page, the server requested the background image using the code below; the response is the URL to the image.”


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoft

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments