The Threat

The eSentire Threat Intelligence team has observed a recent phishing campaign using Microsoft cloud services to host Office 365 phishing pages. Observed obfuscation methods may bypass link inspection or content filtering in certain cases. These techniques increase the likelihood of successful delivery and the perceived legitimacy of the phishing page. Users and network/email administrators are advised to review indicators and samples below for awareness.

What we're doing about it

  • Phishing pages have been reported to Microsoft
  • The Threat Intelligence team is monitoring observed phishing pages for customer information

What you should do about it

Users

  • Review the sample email and O365 phishing page below for reference
  • Always review the From field for suspicious sender addresses
  • Hover over links before clicking. If you notice windows[.]net or azurewebsites[.]net in the URL do not assume it is safe
  • Be cautious of generic Office 365 login pages lacking branding for your organization

Network/Email Administrators

  • Consider flagging or blocking emails containing the following strings in message bodies:
    • windows.net
    • azurewebsites.net
    • #x61;zurew&#x6=5;bsites.ne&#x74

Additional Resources

[1] https://azure.microsoft.com/en-ca/services/storage/blobs/

[2] https://www.bleepingcomputer.com/news/security/phishing-attack-uses-azure-blob-storage-to-impersonate-microsoft/

 

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.