eSentire White Logo

Security advisories | Jul 09, 2019

Hex Encoded Links Point to Phishing Pages on Microsoft Cloud Services

The Threat

The eSentire Threat Intelligence team has observed a recent phishing campaign using Microsoft cloud services to host Office 365 phishing pages. Observed obfuscation methods may bypass link inspection or content filtering in certain cases. These techniques increase the likelihood of successful delivery and the perceived legitimacy of the phishing page. Users and network/email administrators are advised to review indicators and samples below for awareness.

What we're doing about it

  • Phishing pages have been reported to Microsoft
  • The Threat Intelligence team is monitoring observed phishing pages for customer information

What you should do about it


  • Review the sample email and O365 phishing page below for reference
  • Always review the From field for suspicious sender addresses
  • Hover over links before clicking. If you notice windows[.]net or azurewebsites[.]net in the URL do not assume it is safe
  • Be cautious of generic Office 365 login pages lacking branding for your organization

Network/Email Administrators

  • Consider flagging or blocking emails containing the following strings in message bodies:
    • #x61;zurew&#x6=5;

Additional Resources