Gone phishing: the significant attacks Microsoft saw in 2019

Gone phishing: the significant attacks Microsoft saw in 2019

The attacks all leveraged the cloud to do their dirty work

Credit: ID 38622618 © Weerapat Kiatdumrong |

Microsoft research has revealed what it claims are the three most notable phishing attack techniques employed in 2019, with an anti-malware researcher referring to one of the  attacks as taking “impersonation to the next level". Here's how the attacks worked.

In common to all three techniques were the abuse of legitimate cloud services, including those from Microsoft, Google and Amazon, according to a blog post by Patrick Estavillo, senior anti-malware researcher at Microsoft. 

The attacks were found through the studying of Office 365 ATP signals, which Microsoft use in an attempt to understand attacker activity. 

Search result hijacking 

The first notable phishing campaign Microsoft picked up on was the utilisation of Google search results links to point towards an attacker-controlled page, which then redirected to a phishing page. 

In order to create enough traffic to make the redirector page the top result for specific keywords, traffic generators were used.

By doing this, phishers could send phishing emails that contained legitimate URLs containing a trusted URL. Example URLs listed on the blog included:

  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EhOJoXatrCPy%3C/a%3E
  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EyEg5xg1736iIgQVF%3C/a%3E

This was then combined with location-specific research results; European search results would lead to the redirector website c77684gq[.]beget[.]tech¸ which would then go to the phishing page, Meanwhile, non-European search results would turn up empty

This attack worked by ensuring c77684gq[.]beget[.]tech was the top result for the keyword “hOJoXatrCPy” from specific locations. To do this, the HTML code of the site contained a redirector script and anchor elements with the anchor elements designed to be crawled by search engines to establish results for the keyword, according to the blog.

Fake 404 pages

Another attack employed by fishers was the creation of custom 404 pages designed to look like the real Microsoft account log-in page.

As a non-existent URL for a website would generate a 404 page, Estavillo’s post claimed that phishers could generate a seemingly unlimited amount of random phishing URLs.

One example of this was to simply add a character at the end of a URL to create a second URL, both of which would direct users to the same phishing page. Examples of these included:

  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQ
  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQs

Other fake 404 URLs would include randomised domains, which would allow for the number of phishing URLs to increase “exponentially”. Examples of these included:

  • outlookloffice365usertcph4l3q[.]web[.]app
  • outlookloffice365userdqz75j6h[.]web[.]app
  • outlookloffice365usery6ykxo07[.]web[.]app 

Man-in-the-middle component

Impersonation is the key to phishing, and in Microsoft’s third noticeable example, Estavillo’s post claimed that phishers “took impersonation to the next level".

“Instead of attackers copying elements from the spoofed legitimate website, a man-in-the-middle component captured company-specific information like logos, banners, text, and background images from Microsoft’s rendering site,” he said.

This attack worked by phishers sending out emails with a URL pointing to an attack-controlled server, being the man-in-the-middle component, which pretended to act like Microsoft’s log-in pages.

The server was able to identify user-specific information based on the email address, which included their company, and then located information specific to the particular company.

Much like a typical log-on experience, the one URL was able to render differently for different users

“To generate legitimate-looking phishing sites, the server used the following code to retrieve the banner used by the target’s victim company as identified by the domain information in the email address; the response is the URL for the company banner,” Estavillo wrote.

“The server also retrieved the text used in the company’s sign-in page; the response is the actual text specific to the target victim’s company.

“To complete the legitimate-looking phishing page, the server requested the background image using the code below; the response is the URL to the image.”

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoft



Reseller News Platinum Club celebrates leading partners in 2019

Reseller News Platinum Club celebrates leading partners in 2019

The leading players of the New Zealand channel came together to celebrate a year of achievement at the annual Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months.

Reseller News Platinum Club celebrates leading partners in 2019
Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosted its second annual alumnae breakfast for the Women in ICT Awards in New Zealand, designed to showcase the leading female leaders in the industry. Held at The Cordis in Auckland, attendees came together to hear inspiring keynotes and panel discussions, alongside high-level networking among peers. Photos by Gino Demeer.

Reseller News hosts alumnae breakfast for Women in ICT Awards
Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Show Comments