This blog originally appeared in December 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.
In August, Area 1 Security researchers identified a Microsoft SharePoint phishing campaign that abused cloud computing services, such as Azure Web Sites, Google Storage, and Amazon Web Services, to host credential harvesters. Most recently, our researchers detected an updated wave of Microsoft SharePoint phish that are leveraging new COVID-19 restrictions to steal victims’ login information.
While this new COVID-19 phishing campaign is incredibly widespread, Area 1 Security noted that a majority of the targets included upper-level management and executives. The attacker may be focusing the bulk of the attacks on these individuals in order to have a better chance of gaining access to sensitive information and potentially infiltrating the target network.
Just Another Work Email?
This new campaign deviates from the previous “Summer Bonus” Microsoft Office 365 phishing campaign by attempting to trick targets into thinking they missed an important update to COVID-19 procedures. As seen in Figure 1, the attacker states that a purported SharePoint-hosted document was sent a week prior, creating a sense of urgency in order to lure targets into clicking on the provided link.
Figure 1. SharePoint Phishing Email
The new COVID-19 campaign contains many of the same hallmarks as the previous bonus-themed phish, such as tailoring each message to include the target’s email and company name throughout the body of the message and in the spoofed sender address. However, this time around, the attacker improved upon their formatting to appear more convincing.
As with the previous PhishPoint campaign, the attacker continues to use Virtual Private Servers (VPS) to send their phishing messages. Area 1 Security researchers identified roughly 100 unique sender addresses associated with this “COVID Requirements” campaign. The attacker used three main VPS services - CrownCloud, HostWinds, and MGNHost.
The versatility of a VPS allows the attacker to remain anonymous and also provides the ability to continually pivot to new infrastructure as soon as a phishing domain or IP address is identified as malicious.
To a lesser extent, the attackers also sent the phishing messages through a leading transactional and marketing email provider, SendGrid. This company is known for their presence, experience and expertise in email delivery. As a result, SendGrid’s domain is commonly whitelisted. For this reason, threat actors will often launch their phishing campaigns by abusing reputable providers like this.
Not only that, but with SendGrid, the message will easily pass email authentication. This demonstrates just how DMARC fails at stopping phishing attacks.
The use of SendGrid is also a clever way to circumvent Secure Email Gateways (SEGs). SEGs that predominantly depend on email authentication and sender reputation (SPF, DKIM, DMARC) will completely miss these types of phishing attacks.
Analysis of Spoofed Microsoft Login Page
Disguised as a simple “Open” button, the link in the message body leads to a spoofed Microsoft login page hosted on various cloud computing platforms, including Amazon Web Services, Google’s Appspot engine, and Firebase. These top tier, widely-used cloud services provide attackers the perfect platform for hosting their malicious content, all the while flying under the radar of legacy vendor email security solutions.
An example link, hxxps://x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com/#redacted@redacted.com, shown in the address bar in Figure 2, further demonstrates the targeted nature of the attacks. The redacted information in the URL contains the target’s company email address. To further add legitimacy, this spoofed site is nearly identical to the real Microsoft login page. The only discernible difference is the inclusion of the word “Outlook.”
Figure 2. Spoofed Microsoft Login Portal
Figure 3 shows a portion of the source code of the spoofed login page. This section of code consists of JavaScript that attempts to mimic the functionality of the legitimate Microsoft login page.
Figure 3. JavaScript of Spoofed Login Page
The code calls a custom function responsible for extracting the victim’s email from the URL and prepopulating it in the account username field. In this function the actor left a portion of commented code (presumably used by the developer of the code for testing purposes) as highlighted in Figure 4.
Figure 4. Custom Function Containing Commented Code
The commented code specifies a link that contains the string “office1withemail” in the URL path. Pivoting on this code, Area 1 Security researchers identified a massive number of phishing attacks, dating back to at least April 2019. These attacks leveraged a large variety of phishing themes, used numerous cloud hosting and VPS providers to send the messages, and targeted a slew of industry verticals.
It's possible these attacks are the work of a single group. However, given the nature and pervasiveness of the activity - and the fact that all of the attacks used JavaScript that contained the same commented code - a phishing kit may be at play.
If the target enters their password, it is posted to a website hosted on Microsoft Azure Web Sites, for example hxxps://fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net/handler[.]php, as revealed in Figure 5.
Figure 5. HTTP Post of Victim Credentials
After the credentials are entered, the .ldsddddd function above displays a spinning circle next to the “Sign In” button, making it appear as if the credentials are being validated. After several seconds have passed, the error message shown in Figure 6 is displayed.
Figure 6. Error Message Displayed After Credentials Are Entered
No matter what value is entered, the victim is led to believe they provided an incorrect password. To reduce suspicion, if the victim clicks on the “Forgot my password” link, the browser redirects to the real Microsoft password reset page.
This pervasive “COVID Restrictions” campaign is an ongoing threat to many individuals and businesses alike. The use of VPS and leading email service providers, as well as abuse of multiple cloud services throughout several stages of the attack, make it a particularly difficult campaign to detect.
To make matters worse, because the URLs used in the attacks point to legitimate domains and the messages contain no malicious payloads, traditional defenses will continually miss phish like this. In fact, Microsoft’s native Office 365 email security failed to stop this phishing attack despite these red flags.
Fortunately, Area 1 Security detected this stealthy campaign and stopped these phish from reaching our customers’ inboxes.
Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.
Indicators of Compromise
Malicious Links:
hxxps://pidbbhitbt8007dtdhdlbhhp[.]azurewebsites[.]net/handler[.]php
hxxps://fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net/handler[.]php
hxxps://03ssrd3334phd00p4sh0s33drcorequemenxxkjw3450w1jklsha[.]s3-ap-southeast-1[.]amazonaws[.]com/index[.]html#@<targeted_company_domain>
hxxps://owacovctctsttc00tscqcqts0c1tq[.]s3-ap-northeast-1[.]amazonaws[.]com/index[.]html#@<targeted_company_domain>
hxxps://s3-ap-northeast-1[.]amazonaws[.]com/cxrequirement[.]sharepointeseugwpjlmahxedgkqsbjlzfgsn/index[.]html#@<targeted_company_domain>
hxxps://storage[.]cloud[.]google[.]com/owa9y0y90yh9y9ffy2990hfy90h[.]appspot[.]com/index[.]html#@<targeted_company_domain>
hxxps://storage[.]cloud[.]google[.]com/sharedpoinnlinej27pj07jjppl7jp[.]appspot[.]com/index[.]html#@<targeted_company_domain>
hxxps://storage[.]cloud[.]google[.]com/sharedpointoneqqnfcefoqi0e6cf[.]appspot[.]com/index[.]html#@<targeted_company_domain>
hxxps://storage[.]cloud[.]google[.]com/sharedpointowauthdhljd1l0tdka0[.]appspot[.]com/index[.]html#@<targeted_company_domain>
hxxps://storage[.]cloud[.]google[.]com/shonecov19dn1n1lnfflnbfblf1d[.]appspot[.]com/index[.]html#@<targeted_company_domain>
hxxps://tlook-off365-signin[.]web[.]app/#@<targeted_company_domain>
hxxps://x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com/#@<targeted_company_domain>
hxxps://y02hh200222fyhffh90yhyhh[.]s3[.]us-east-2[.]amazonaws[.]com/index[.]html?eid=@<targeted_company_domain>
hxxp://d-nb[.]xyz/?e=@<targeted_company_domain>
Malicious Sites:
pidbbhitbt8007dtdhdlbhhp[.]azurewebsites[.]net
fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net
03ssrd3334phd00p4sh0s33drcorequemenxxkjw3450w1jklsha[.]s3-ap-southeast-1[.]amazonaws[.]com
owacovctctsttc00tscqcqts0c1tq[.]s3-ap-northeast-1[.]amazonaws[.]com
y02hh200222fyhffh90yhyhh[.]s3[.]us-east-2[.]amazonaws[.]com
s3-ap-northeast-1[.]amazonaws[.]com/cxrequirement[.]sharepointeseugwpjlmahxedgkqsbjlzfgsn
storage[.]cloud[.]google[.]com/owa9y0y90yh9y9ffy2990hfy90h[.]appspot[.]com
storage[.]cloud[.]google[.]com/sharedpoinnlinej27pj07jjppl7jp[.]appspot[.]com
storage[.]cloud[.]google[.]com/sharedpointoneqqnfcefoqi0e6cf[.]appspot[.]com
storage[.]cloud[.]google[.]com/sharedpointowauthdhljd1l0tdka0[.]appspot[.]com
storage[.]cloud[.]google[.]com/shonecov19dn1n1lnfflnbfblf1d[.]appspot[.]com
x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com
tlook-off365-signin[.]web[.]app
d-nb[.]xyz