.png?width=797&height=332&name=SCAM%20ALERT%20(10).png)
Microsoft is among the top market capitalizations on the NASDAQ, alongside Apple and Amazon. In 2018, the revenue amounted to $110.36 billion.
The Attack
Target:
- Customers of Microsoft
Possible threats:
Below are different malicious domains that attempt to trick users, most likely corporate employees into entering their work email credentials, which will give threat actors access to the employees email account and initial access to the company.
The attacker would most likely use the following steps to scam the employee:
-
Sending a phishing email to employees with a link to one of the malicious sites, asking them to login to their employee account due to an issue or by referencing a file that they need to access.
-
Once the attacker has gained access to the employees inbox, they will lurk around the inbox, monitoring email chains and threads until they identify one of interest, for example, where a wire transfer is being discussed.
-
The attacker will monitor the email thread gathering information. They will then reply to the email chain asking for the funds to be sent elsewhere (to their own account), stating that the original bank account has been changed.
Using this tactic of email thread hijacking makes the victim more likely to fall for the scam since it is part of an ongoing conversation. Email conversation hijacking has also been increasingly used by cybercriminals with a 270% increase in 2021.
This type of threat, known as wire transfer phishing can be incredibly costly for a company. While the cost depends on the wire transfer requested by the company, the average cost companies lose to these scams average 150,000 USD.
|
hxxp://robertdavison[.]net |
hxxp://resaleshop[.]usLegitimate site: bancopatagonia[.]com[.]ar
|
|
hxxp://feinfilm[.]de → hxxp://feinfilm[.]de/office/login.php
|
hxxp://newbies001.bitbucket[.]io
|
|
hxxp://grandos08.bitbucket[.]io
|
Technical Breakdown
Threat Indicators
-
Malicious domains impersonating Microsoft Office tools
-
Newly registered sites - 14th - 25th October 2022
-
MX record indicates domain may be part of a phishing campaign
-
SSL certificates expires after three months
Detection and Threat Analysis
-
The two domains, robertdavison[.]net and resaleshop[.]us lead users to a login page for Office 365 and Microsoft Office. The two sites are built slightly differently and are clearly set up to target employees at different company’s. The two domains resolve to the same IP address in the Netherlands, indicating that they are likely created by the same threat actor.
 |
 |
-
The hxxp://feinfilm[.]de malicious domain, redirects user to the following domain: hxxp://feinfilm[.]de/office/login.php. Similar to the previous malicious domains, this website also shows visitors a Microsoft login page. With the IP address and the domain being German (.de), it is likely that German employees would be targeted in this scam.
|
|
|
-
The Bitbucket domains shown below, were created by the same threat actor due to their identical DNS records. Additionally, they both have very similar content. The first malicious site, asks users to login with their email credentials in order to listen to a voicemail message. The other domain asks user to login with their email credentials in order to read a document.
|
|
hxxp://newbies001.bitbucket[.]io |
-
The domains, except from one, have registered MX records, giving the threat actors the ability to accept and send email messages on behalf of the domain names. It indicates that the threat actors are likely setting up the domain to be part of a phishing campaign that leads to the malicious domains.
-
Two of the malicious domains do not have registered SSL certificates. The three other domains have registered SSL certificates that expire after three months and are issued by a non-trusted certificate issuer (Let’s Encrypt). Legitimate companies will always have a certificate from a reputable source that is at least one year long and indicate the organisation with whom they are registered.
DNS Record
|
Domain |
hxxp://robertdavison[.]net |
hxxp://resaleshop[.]us |
hxxp://feinfilm[.]de |
hxxp://newbies001.bitbucket[.]io |
hxxp://grandos08.bitbucket[.]io |
|---|---|---|---|---|---|
|
Registrar |
GoDaddy.com, LLC |
GoDaddy.com, LLC |
Unknown |
Unknown |
Unknown |
|
Domain Creation and Expiration |
Created on 14-10-2022 17 days old |
Created on 24-10-2022 7 days old |
Created on 25-10-2022 6 days old |
Created on 25-10-2022 6 days old |
Created on 25-10-2022 6 days old |
|
Certificate |
Issued by: Let's Encrypt Issued to: Unknown 05-10-2022 -> 03-01-2023 10-10-2022 -> 08-01-2023 13-10-2022 -> 11-01-2023 25-10-2022 -> 23-01-2023 Valid for 3 months |
Issued by: Let's Encrypt Issued to: Unknown 20-10-2022 -> 18-01-2023 24-10-2022 -> 22-01-2023 Valid for 3 months |
Issued by: Let's Encrypt Issued to: Unknown 07-10-2022 -> 05-01-2023 10-10-2022 -> 08-01-2023 Valid for 3 months |
N/A |
N/A |
|
Name Servers |
ns61.domaincontrol.com ns62.domaincontrol.com |
ns07.domaincontrol.com ns08.domaincontrol.com |
docks04.rzone.de shades06.rzone.de |
ns-850.awsdns-42.net ns-1070.awsdns-05.org ns-195.awsdns-24.com ns-1976.awsdns-55.co.uk |
ns-850.awsdns-42.net ns-1070.awsdns-05.org ns-195.awsdns-24.com ns-1976.awsdns-55.co.uk |
|
MX record |
robertdavison-net.mail.protection.outlook.com |
N/A |
smtpin.rzone.de |
mxb-001d9801.gslb.pphosted.com mxa-001d9801.gslb.pphosted.com |
mxb-001d9801.gslb.pphosted.com mxa-001d9801.gslb.pphosted.com |
|
IP address |
185.185.42.9 Amsterdam, Netherlands AS62240 Clouvider Limited ISP: HOSTUS-AMS01 |
185.185.42.9 Amsterdam, Netherlands AS62240 Clouvider Limited ISP: HOSTUS-AMS01 |
168.119.99.139 Falkenstein, Germany AS24940 Hetzner Online GmbH ISP: Hetzner Online GmbH |
18.205.93.9, 18.205.93.10, 18.205.93.11 Virginia, United States AS14618 Amazon.com, Inc. ISP: Amazon Technologies Inc |
18.205.93.9, 18.205.93.10, 18.205.93.11 Virginia, United States AS14618 Amazon.com, Inc. ISP: Amazon Technologies Inc |
How Bfore.Ai is protecting our customers
At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.
With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.
Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !
Bfore.Ai’s recommendations
Every day, adversarial tactics become more collaborative, technologically advanced, and rapid - and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :
-
Pay close attention to the URL
-
Check connection security indicators (the lock)
-
Read emails carefully
-
Look for trust seals
Appendix
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
