[SCAM ALERT 062] – Microsoft

SCAM ALERT (10)

Microsoft is among the top market capitalizations on the NASDAQ, alongside Apple and Amazon. In 2018, the revenue amounted to $110.36 billion.

During our PreCrime internet scout of October 31st 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting Microsoft customers.

The Attack

Target: 

  • Customers of Microsoft
Possible threats:

Below are different malicious domains that attempt to trick users, most likely corporate employees into entering their work email credentials, which will give threat actors access to the employees email account and initial access to the company.

The attacker would most likely use the following steps to scam the employee:

  1. Sending a phishing email to employees with a link to one of the malicious sites, asking them to login to their employee account due to an issue or by referencing a file that they need to access.

  2. Once the attacker has gained access to the employees inbox, they will lurk around the inbox, monitoring email chains and threads until they identify one of interest, for example, where a wire transfer is being discussed.

  3. The attacker will monitor the email thread gathering information. They will then reply to the email chain asking for the funds to be sent elsewhere (to their own account), stating that the original bank account has been changed.

Using this tactic of email thread hijacking makes the victim more likely to fall for the scam since it is part of an ongoing conversation. Email conversation hijacking has also been increasingly used by cybercriminals with a 270% increase in 2021.

This type of threat, known as wire transfer phishing can be incredibly costly for a company. While the cost depends on the wire transfer requested by the company, the average cost companies lose to these scams average 150,000 USD.

hxxp://robertdavison[.]net

microsoft A

hxxp://resaleshop[.]usLegitimate site: bancopatagonia[.]com[.]ar

MICROSOFT B

hxxp://feinfilm[.]de → hxxp://feinfilm[.]de/office/login.php

MICROSOFT C

hxxp://newbies001.bitbucket[.]io

MICROSOFT D

hxxp://grandos08.bitbucket[.]io

MICROSOFT E

Technical Breakdown

Threat Indicators
  • Malicious domains impersonating Microsoft Office tools

  • Newly registered sites – 14th – 25th October 2022

  • MX record indicates domain may be part of a phishing campaign

  • SSL certificates expires after three months

Detection and Threat Analysis

  • The two domains, robertdavison[.]net and resaleshop[.]us lead users to a login page for Office 365 and Microsoft Office. The two sites are built slightly differently and are clearly set up to target employees at different company’s. The two domains resolve to the same IP address in the Netherlands, indicating that they are likely created by the same threat actor.

microsoft1 microsoft2

microsoft3

  • The hxxp://feinfilm[.]de malicious domain, redirects user to the following domain: hxxp://feinfilm[.]de/office/login.php. Similar to the previous malicious domains, this website also shows visitors a Microsoft login page. With the IP address and the domain being German (.de), it is likely that German employees would be targeted in this scam.

microsoft4 microsoft5
  • The Bitbucket domains shown below, were created by the same threat actor due to their identical DNS records. Additionally, they both have very similar content. The first malicious site, asks users to login with their email credentials in order to listen to a voicemail message. The other domain asks user to login with their email credentials in order to read a document.

microsoft6
hxxp://grandos08.bitbucket[.]io
microsoft7

hxxp://newbies001.bitbucket[.]io

  • The domains, except from one, have registered MX records, giving the threat actors the ability to accept and send email messages on behalf of the domain names. It indicates that the threat actors are likely setting up the domain to be part of a phishing campaign that leads to the malicious domains.

  • Two of the malicious domains do not have registered SSL certificates. The three other domains have registered SSL certificates that expire after three months and are issued by a non-trusted certificate issuer (Let’s Encrypt). Legitimate companies will always have a certificate from a reputable source that is at least one year long and indicate the organisation with whom they are registered.

DNS Record
Domain hxxp://robertdavison[.]net hxxp://resaleshop[.]us hxxp://feinfilm[.]de hxxp://newbies001.bitbucket[.]io hxxp://grandos08.bitbucket[.]io
Registrar GoDaddy.com, LLC GoDaddy.com, LLC Unknown Unknown Unknown
Domain Creation and Expiration Created on 14-10-2022
Expires on unknown
Updated on unknown

17 days old

Created on 24-10-2022
Expires on unknown
Updated on unknown

7 days old

Created on 25-10-2022
Expires on unknown
Updated on unknown

6 days old

Created on 25-10-2022
Expires on unknown
Updated on unknown

6 days old

Created on 25-10-2022
Expires on unknown
Updated on unknown

6 days old

Certificate Issued by: Let’s Encrypt

Issued to: Unknown

05-10-2022 -> 03-01-2023

10-10-2022 -> 08-01-2023

13-10-2022 -> 11-01-2023

25-10-2022 -> 23-01-2023

Valid for 3 months

Issued by: Let’s Encrypt

Issued to: Unknown

20-10-2022 -> 18-01-2023

24-10-2022 -> 22-01-2023

Valid for 3 months

Issued by: Let’s Encrypt

Issued to: Unknown

07-10-2022 -> 05-01-2023

10-10-2022 -> 08-01-2023

Valid for 3 months

N/A N/A
Name Servers ns61.domaincontrol.com

ns62.domaincontrol.com

ns07.domaincontrol.com

ns08.domaincontrol.com

docks04.rzone.de

shades06.rzone.de

ns-850.awsdns-42.net

ns-1070.awsdns-05.org

ns-195.awsdns-24.com

ns-1976.awsdns-55.co.uk

ns-850.awsdns-42.net

ns-1070.awsdns-05.org

ns-195.awsdns-24.com

ns-1976.awsdns-55.co.uk

MX record robertdavison-net.mail.protection.outlook.com N/A smtpin.rzone.de mxb-001d9801.gslb.pphosted.com

mxa-001d9801.gslb.pphosted.com

mxb-001d9801.gslb.pphosted.com

mxa-001d9801.gslb.pphosted.com

IP address 185.185.42.9

Amsterdam, Netherlands

AS62240 Clouvider Limited

ISP: HOSTUS-AMS01

185.185.42.9

Amsterdam, Netherlands

AS62240 Clouvider Limited

ISP: HOSTUS-AMS01

168.119.99.139

Falkenstein, Germany

AS24940 Hetzner Online GmbH

ISP: Hetzner Online GmbH

18.205.93.9, 18.205.93.10, 18.205.93.11

Virginia, United States

AS14618 Amazon.com, Inc.

ISP: Amazon Technologies Inc

18.205.93.9, 18.205.93.10, 18.205.93.11

Virginia, United States

AS14618 Amazon.com, Inc.

ISP: Amazon Technologies Inc

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.