• Product
    • Overview
    • Why Area 1
      • Customer Reviews
      • Case Studies
    • Technology
    • Pricing
    • Free Trial
  • Solutions
    • Phishing Attacks
    • Business Email Compromise
    • Cloud Email Security
      • Office 365
      • Gmail
    • Autonomous Phish SOC
    • COVID-19 Phishing
    • Election Security
  • Partners
    • Find a Technology Partner
    • Find a Channel Partners
    • Become a Partner
  • Resources
    • Resources
    • Blog
    • Events | Webinars
    • Newsletter
    • Phishing Glossary
  • Company
    • About
    • Trust Center
    • News
    • Careers
    • Contact
  • Search
Area 1

Request a FREE Demo Today!

  • KEY USE CASES

    Area 1’s cloud-native SaaS solution supports three key use cases: preemptive anti-phishing across all threat vectors (email, web, social, network); cloud email security / SEG replacement; and phishing security automation for SOC teams.

    Learn More
    Area 1

    Request a FREE Demo Today!

  • THE CHALLENGE

    SEGs, cloud email and DMARC struggle against the most sophisticated phishing attacks. Area 1 is the only company that preemptively blocks Type 1-3 BEC phishing, and other highly targeted attacks.

    Learn More

    PHISH OF THE WEEK

    This much should be clear by now – we at Area 1 absolutely detest phish! But in some weird karmic way, we exist because phish exist…and we exist to quell each and every one of the attacks hitting our customers.

    Well, it just got a lot harder on those pesky creatures, and a lot better for our current — and future — customers.

    View Now
    Area 1

    Request a FREE Demo Today!

  • FIND A TECHNOLOGY PARTNER

    Area 1 is a Microsoft Certified Partner and a Google Cloud Security Technology Partner of the Year. We also integrate with a number of SIEM, SOAR, SEG and firewall technology providers to fit your unique infrastructure.

    Learn More

    FIND A CHANNEL PARTNER

    Work with trusted cybersecurity experts across the globe to secure your business. Learn about our partnerships with Legato Security, Optiv, SADA Systems, SYNNEX and others.

    Learn More
  • NEW ON THE BLOG

    A rapidly evolving phishing campaign is on the loose.

    Read Blog

    UPCOMING WEBINAR

    How did one million phishing emails bypassed Office 365 defenses?

    Register Here
  • WHO WE ARE

    At Area 1 Security, We Stop Phish. We’re accountable to you: that means we believe you should pay only to cybersecurity company that works. If it doesn’t protect you, why invest in it?

    Learn More

    IN THE NEWS

    Read Here

    Need to Contact Us?

    We’re here to help

    Area 1
Area 1 Security
  • Product
    • OVERVIEW
      • Why Area 1
        • WHY AREA 1
          • Customer Reviews
          • Case Studies
      • Technology
      • Pricing
      • Free Trial
  • Solutions
    • SOLUTIONS
      • Phishing Attacks
      • Business Email Compromise
      • Cloud Email Security
        • CLOUD EMAIL SECURITY
          • Office 365
          • Gmail
      • COVID-19 Phishing
      • Autonomous Phish SOC
      • Election Security
  • Partners
  • Resources
    • RESOURCES
      • Blog
      • Resource Library
      • Newsletter
      • Events | Webinars
      • Phishing Glossary
  • Company
    • COMPANY
      • About
      • Trust Center
      • News
      • Careers
      • Contact
  • Search
  • Try Area 1

Phishpoint Back in Full Swing

Area 1 Security - Threat Research Team December 11, 2020

In August, Area 1 Security researchers identified a Microsoft SharePoint phishing campaign that abused cloud computing services, such as Azure Web Sites, Google Storage, and Amazon Web Services, to host credential harvesters. Most recently, our researchers detected an updated wave of Microsoft SharePoint phish that are leveraging new COVID-19 restrictions to steal victims’ login information.

While this new COVID-19 phishing campaign is incredibly widespread, Area 1 Security noted that a majority of the targets included upper-level management and executives. The attacker may be focusing the bulk of the attacks on these individuals in order to have a better chance of gaining access to sensitive information and potentially infiltrating the target network.

Just Another Work Email?

This new campaign deviates from the previous “Summer Bonus” Microsoft Office 365 phishing campaign by attempting to trick targets into thinking they missed an important update to COVID-19 procedures. As seen in Figure 1, the attacker states that a purported SharePoint-hosted document was sent a week prior, creating a sense of urgency in order to lure targets into clicking on the provided link.

Sharepoint Phishing Email
[Figure 1. SharePoint Phishing Email]

The new COVID-19 campaign contains many of the same hallmarks as the previous bonus-themed phish, such as tailoring each message to include the target’s email and company name throughout the body of the message and in the spoofed sender address. However, this time around, the attacker improved upon their formatting to appear more convincing.

As with the previous PhishPoint campaign, the attacker continues to use Virtual Private Servers (VPS) to send their phishing messages. Area 1 Security researchers identified roughly 100 unique sender addresses associated with this “COVID Requirements” campaign. The attacker used three main VPS services – CrownCloud, HostWinds, and MGNHost.

The versatility of a VPS allows the attacker to remain anonymous and also provides the ability to continually pivot to new infrastructure as soon as a phishing domain or IP address is identified as malicious.

To a lesser extent, the attackers also sent the phishing messages through a leading transactional and marketing email provider, SendGrid. This company is known for their presence, experience and expertise in email delivery. As a result, SendGrid’s domain is commonly whitelisted. For this reason, threat actors will often launch their phishing campaigns by abusing reputable providers like this.

Not only that, but with SendGrid, the message will easily pass email authentication. This demonstrates just how DMARC fails at stopping phishing attacks.

The use of SendGrid is also a clever way to circumvent Secure Email Gateways (SEGs). SEGs that predominantly depend on email authentication and sender reputation (SPF, DKIM, DMARC) will completely miss these types of phishing attacks.

Analysis of Spoofed Microsoft Login Page

Disguised as a simple “Open” button, the link in the message body leads to a spoofed Microsoft login page hosted on various cloud computing platforms, including Amazon Web Services, Google’s Appspot engine, and Firebase. These top tier, widely-used cloud services provide attackers the perfect platform for hosting their malicious content, all the while flying under the radar of legacy vendor email security solutions.

An example link, hxxps://x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com/#[email protected], shown in the address bar in Figure 2, further demonstrates the targeted nature of the attacks. The redacted information in the URL contains the target’s company email address. To further add legitimacy, this spoofed site is nearly identical to the real Microsoft login page. The only discernible difference is the inclusion of the word “Outlook.”

Spoofed Microsoft Login Portal
[Figure 2. Spoofed Microsoft Login Portal]

Figure 3 shows a portion of the source code of the spoofed login page. This section of code consists of JavaScript that attempts to mimic the functionality of the legitimate Microsoft login page.

JavaScript of Spoofed Login Page
[Figure 3. JavaScript of Spoofed Login Page]

The code calls a custom function responsible for extracting the victim’s email from the URL and prepopulating it in the account username field. In this function the actor left a portion of commented code (presumably used by the developer of the code for testing purposes) as highlighted in Figure 4.

Custom Function Containing Commented Code
[Figure 4. Custom Function Containing Commented Code]

The commented code specifies a link that contains the string “office1withemail” in the URL path. Pivoting on this code, Area 1 Security researchers identified a massive number of phishing attacks, dating back to at least April 2019. These attacks leveraged a large variety of phishing themes, used numerous cloud hosting and VPS providers to send the messages, and targeted a slew of industry verticals.

It’s possible these attacks are the work of a single group. However, given the nature and pervasiveness of the activity – and the fact that all of the attacks used JavaScript that contained the same commented code – a phishing kit may be at play.

If the target enters their password, it is posted to a website hosted on Microsoft Azure Web Sites, for example hxxps://fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net/handler[.]php, as revealed in Figure 5.

HTTP Post of Victim Credentials
[Figure 5. HTTP Post of Victim Credentials]

After the credentials are entered, the .ldsddddd function above displays a spinning circle next to the “Sign In” button, making it appear as if the credentials are being validated. After several seconds have passed, the error message shown in Figure 6 is displayed.

Error Message Displayed After Credentials Are Entered
[Figure 6. Error Message Displayed After Credentials Are Entered]

No matter what value is entered, the victim is led to believe they provided an incorrect password. To reduce suspicion, if the victim clicks on the “Forgot my password” link, the browser redirects to the real Microsoft password reset page.

This pervasive “COVID Restrictions” campaign is an ongoing threat to many individuals and businesses alike. The use of VPS and leading email service providers, as well as abuse of multiple cloud services throughout several stages of the attack, make it a particularly difficult campaign to detect.

To make matters worse, because the URLs used in the attacks point to legitimate domains and the messages contain no malicious payloads, traditional defenses will continually miss phish like this. In fact, Microsoft’s native Office 365 email security failed to stop this phishing attack despite these red flags.



Fortunately, Area 1 Security detected this stealthy campaign and stopped these phish from reaching our customers’ inboxes.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Indicators of Compromise

Malicious Links:

  • hxxps://pidbbhitbt8007dtdhdlbhhp[.]azurewebsites[.]net/handler[.]php
  • hxxps://fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net/handler[.]php
  • hxxps://03ssrd3334phd00p4sh0s33drcorequemenxxkjw3450w1jklsha[.]s3-ap-southeast-1[.]amazonaws[.]com/index[.]html#<target>@<targeted_company_domain>
  • hxxps://owacovctctsttc00tscqcqts0c1tq[.]s3-ap-northeast-1[.]amazonaws[.]com/index[.]html#<target>@<targeted_company_domain>
  • hxxps://s3-ap-northeast-1[.]amazonaws[.]com/cxrequirement[.]sharepointeseugwpjlmahxedgkqsbjlzfgsn/index[.]html#<target>@<targeted_company_domain>
  • hxxps://storage[.]cloud[.]google[.]com/owa9y0y90yh9y9ffy2990hfy90h[.]appspot[.]com/index[.]html#<target>@<targeted_company_domain>
  • hxxps://storage[.]cloud[.]google[.]com/sharedpoinnlinej27pj07jjppl7jp[.]appspot[.]com/index[.]html#<target>@<targeted_company_domain>
  • hxxps://storage[.]cloud[.]google[.]com/sharedpointoneqqnfcefoqi0e6cf[.]appspot[.]com/index[.]html#<target>@<targeted_company_domain>
  • hxxps://storage[.]cloud[.]google[.]com/sharedpointowauthdhljd1l0tdka0[.]appspot[.]com/index[.]html#<target>@<targeted_company_domain>
  • hxxps://storage[.]cloud[.]google[.]com/shonecov19dn1n1lnfflnbfblf1d[.]appspot[.]com/index[.]html#<target>@<targeted_company_domain>
  • hxxps://tlook-off365-signin[.]web[.]app/#<target>@<targeted_company_domain>
  • hxxps://x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com/#<target>@<targeted_company_domain>
  • hxxps://y02hh200222fyhffh90yhyhh[.]s3[.]us-east-2[.]amazonaws[.]com/index[.]html?eid=<target>@<targeted_company_domain>
  • hxxp://d-nb[.]xyz/?e=<target>@<targeted_company_domain>

Malicious Sites:

  • pidbbhitbt8007dtdhdlbhhp[.]azurewebsites[.]net
  • fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net
  • 03ssrd3334phd00p4sh0s33drcorequemenxxkjw3450w1jklsha[.]s3-ap-southeast-1[.]amazonaws[.]com
  • owacovctctsttc00tscqcqts0c1tq[.]s3-ap-northeast-1[.]amazonaws[.]com
  • y02hh200222fyhffh90yhyhh[.]s3[.]us-east-2[.]amazonaws[.]com
  • s3-ap-northeast-1[.]amazonaws[.]com/cxrequirement[.]sharepointeseugwpjlmahxedgkqsbjlzfgsn
  • storage[.]cloud[.]google[.]com/owa9y0y90yh9y9ffy2990hfy90h[.]appspot[.]com
  • storage[.]cloud[.]google[.]com/sharedpoinnlinej27pj07jjppl7jp[.]appspot[.]com
  • storage[.]cloud[.]google[.]com/sharedpointoneqqnfcefoqi0e6cf[.]appspot[.]com
  • storage[.]cloud[.]google[.]com/sharedpointowauthdhljd1l0tdka0[.]appspot[.]com
  • storage[.]cloud[.]google[.]com/shonecov19dn1n1lnfflnbfblf1d[.]appspot[.]com
  • x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com
  • tlook-off365-signin[.]web[.]app
  • d-nb[.]xyz

Want to keep up to date with the latest phishing trends?

Subscribe to our newsletter here!


Subscribe

In August, Area 1 Security researchers identified a Microsoft SharePoint phishing campaign that abused cloud computing services, such as Azure Web Sites, Google Storage, and Amazon Web Services, to host credential harvesters.

  • cloud security
  • COVID-19 Security
  • Office 365 Security
  • spoofing
Related Blogs
 

Blog

Reinforce Gmail with Gartner-Recommended Anti-Phishing Controls

Anticipation ran high when Google introduced Gmail; and the versatile MX has exceeded expectations, driving productivity as it speeds and …

 

Blog

7 Email Security Mistakes that Weaken Cybersecurity Posture

Here is a brief introduction to some of the CISOs you’ll learn about in this Webinar. Find out how they …

 

Blog

Solving Business Email Compromise (BEC) Takes More Than Just Server Standards

These days, we hear a lot about Business Email Compromise (BEC). There’s good reason for concern. BEC phishing emails operate …

View More Blogs >
Detect. Disrupt. Defeat.

No-Phishing Zone

Schedule A Demo
Area 1 Security

[email protected]

Sales 650.381.1647

142 Stambaugh Street
Redwood City, CA 94063

Partners
  • Product
  • Overview
  • Why Area 1
  • Technology
  • Demo Request
  • Solutions
  • Resources
  • Company
  • About
  • News
  • Events
  • Careers
  • Contact Us
  • Blog
Area 1 Security
  • Product
  • Overview
  • Why Area 1
  • Technology
  • Demo Request
  • Solutions
  • Resources
  • Company
  • About
  • News
  • Events
  • Careers
  • Contact Us
  • Blog

[email protected]

Sales 650.381.1647

142 Stambaugh Street
Redwood City, CA 94063

Partners
© 2021 Area 1 Security
  • Trust Center
  • Privacy