Vade, a provider of email security and threat detection services, has released a report on a recently discovered phishing attack that involves the spoofing of the Microsoft 365 authentication system.
TIRC researchers decoded the base64-encoded string when analyzing a malicious domain and obtained results related to Microsoft 365 phishing attacks. Researchers noted that requests for phishing applications were made to eevilcorponline.
Its source code, found via periodic-checkerglitchme, was similar to the attachment’s HTML file, indicating that phishers are leveraging glitch.me to host malicious HTML pages.
Glitch.me is a platform that enables users to create and host web applications, websites, and various online projects. Unfortunately, in this instance, the platform is being exploited to host domains involved in the ongoing Microsoft 365 phishing scam.
The attack begins when the victim receives an email containing a malicious HTML file as an attachment. When the victim opens the file, a phishing page masquerading as Microsoft 365 is launched in their web browser. On this deceptive page, the victim is prompted to enter their credentials, which the attackers promptly gather for malicious purposes.
Due to Microsoft 365’s widespread adoption in the business community, there is a significant likelihood that the compromised account belongs to a corporate user. As a result, if the attacker gains access to these credentials, they can potentially obtain sensitive business and trade information.
Additionally, according to their report, Vade’s researchers have also discovered a phishing attack that involves the use of a spoofed version of Adobe.
Further analysis revealed that the malicious “eevilcorp” domain returns an authentication page related to an application called Hawkeye. It is important to highlight that cybersecurity experts, including Talos, have conducted assessments on the original HawkEye keylogger and classified it as a malware kit that emerged in 2013, with subsequent versions appearing over time.
This context is relevant because it explains why TIRC researchers were unable to establish a direct connection between the authentication page and the HawkEye keylogger.
The indicators of compromises were identified to be the following ones:
This attack stands out due to the utilization of a malicious domain (eevilcorponline) and HawkEye, which is available for purchase on hacker forums as a keylogger and data-stealing tool. While Vade’s investigation is still ongoing, it is crucial for users to remain vigilant and follow these steps to prevent falling victim to a Microsoft 365 phishing scam:
- Check the email sender: Be cautious of emails claiming to be from Microsoft 365 that are sent from suspicious or unfamiliar email addresses. Verify the sender’s email address to ensure it matches the official Microsoft domain.
- Look for generic greetings: Phishing emails often use generic greetings like “Dear User” instead of addressing you by name. Legitimate Microsoft emails usually address you by your name or username.
- Analyze email content and formatting: Pay attention to spelling and grammar mistakes, as well as poor formatting. Phishing emails often contain errors that legitimate communications from Microsoft would not have.
- Hover over links: Before clicking on any links in the email, hover your mouse cursor over them to see the actual URL. If the link’s destination looks suspicious or differs from official Microsoft domains, do not click on it.
- Be cautious of urgent requests: Phishing emails often create a sense of urgency, pressuring you to take immediate action. Beware of emails that claim your Microsoft 365 account is at risk or that require urgent verification of personal information.
Remember, if you suspect an email to be a phishing scam, it’s best to err on the side of caution. Report any suspicious emails to Microsoft and avoid providing personal or sensitive information unless you can verify the legitimacy of the request through official channels.