New phishing tool lures victims with Microsoft 365 decoy pages

A highly sophisticated reverse proxy¹ Phising-as-a-Service² (PaaS) platform was recently detected in the wild, bypassing multi-factor authentication (MFA) and providing features on par with some of the top PaaS products on the market. According to researchers who observed the PaaS platform, the tool targets Microsoft 365 cloud service business accounts, delivering highly realistic fake log-in pages that include company branding and auto-fill victims’ email addresses.

The PaaS tool’s convincing logins have been used in successful phishing campaigns targeting businesses in the English-speaking world, including entities in the U.S., U.K., Australia, South Africa, and Canada. To date, the tool’s PaaS campaigns have attacked undisclosed victims in the manufacturing, healthcare, and technology sectors. Researchers observed a spike in attacks using this tool in March 2023, with the campaigns continuing into April. The PaaS platform provides affiliates with phishing kits that include administration panels for (1) configuring service API³ keys and Telegram bots,⁴ and (2) managing stolen credentials.

With the PaaS’ feature-rich phishing kits, even novice threat actors can launch attacks using the tool as a proxy to the Microsoft 365 authentication system, performing adversary-in-the-middle⁵ (AitM) attacks to steal victims' credentials and session cookies.⁶ Threat actors can the leverage this data in further attacks or sell it to the other cybercriminals on the underground.

Turning to the tool’s attack chain, threat actors send victims malicious emails that contain HyperText Markup Language⁷ (HTML) file attachments. When victims open the related HTML pages, the files establish connections to attackers’ servers, which eventually redirect victims to decoy company-branded Microsoft 365 login pages. These logins are auto-filled with email addresses so victims will insert their passwords and the MFA codes they’ve been sent. With the password and MFA codes entered, the tool logs into Microsoft 365. In addition to the credentials, the PaaS affiliate collects the authenticated session cookies, delivering them to their Telegram channel or to the admin panel.

While the technique for bypassing MFA mechanisms is not new, it has historically required a level of sophistication that inexperienced threat actors lack. Ready-to-use kits solve that problem, offering comprehensive instructions, intuitive user interfaces, and cloned phishing pages for services such as Microsoft 356. With such tools, inexperienced threat actors can ultimately take over victims’ accounts and manage all tasks associated with successful phishing campaigns.

DIVING DEEPER

Cybersixgill observed an eponymous threat actor advertising the new PaaS tool on a popular instant messaging platform, describing the product and listing its features, without providing prices.

The advertisement was posted on a group that specializes in a variety of scams and cybercriminal activity. According to the ad, the new PaaS tool is capable of targeting Office365⁸ and Alibaba.⁹ The ad also offers a number of auxiliary services that a threat actor could leverage to make their phishing campaign successful, including email lists for targeting victims, leads from the LinkedIn¹⁰ social networking site, and ZoomInfo¹¹ account data.

The details provided in the ad paint the picture of a PaaS that could help burgeoning cybercriminals launch successful phishing campaigns. In addition to providing the actual malware infrastructure required to harvest data, the tool also offers a source of potential victims for threat actors to attack, eliminating the time-consuming process of identifying targets. These features make the PaaS a one-stop-shop for novice threat actors

Based on this post, and the absence of ads for the PaaS on popular cybercrime forums, the new PaaS tool’s operators may be attempting to fly under the radar. In this post, the only contact information provided is a DM username, which doesn’t reference the tool. This is unusual for threat actors hawking malware, who frequently provide Telegram details or their accounts on Jabber or the Tox messenger.

The user also only advertised the PaaS tool a handful of times. This diverges from the pattern of most malware vendors, who repeatedly post about their products on multiple platforms and “bump” their posts to drum up business. Finally, the Cybersixgill Investigative Portal observed the user speaking a language native to a tiny island country in Micronesia, which is not known as a hotbed for cybercrime.

Figure 1: A threat actor advertises the PaaS

In addition to the aforementioned ads, Cybersixgill observed members of a Russian cybercrime forum seeking the PaaS tool. The message below was posted by a highly active forum member who posts primarily about phishing and spamming services. In the post below, the member specifically sought contacts for threat actors associated with the PaaS tool. While another forum member replied that they were also interested in the tool, no other members came forward with information.

Based on the poster’s previous activity observed by Cybersixgill, this is an experienced threat actor who is heavily involved in phishing campaigns. The actor posted close to 60 times on the forum in the past month alone, with the majority of the activity related to (1) Android banking malware targeting the U.S., Europe and Middle East, (2) phishing campaigns targeting Pakistan, (3) bank logs, and (4) cashout schemes for digital payment applications.

Interest from threat actors such as this could mean that the PaaS tool is gaining popularity on the underground. The PaaS’ lack of advertisements on Russian forums where the tool has been mentioned suggests that the tool’s operators are likely not of Russian origin.

Figure2: Threat actors seek the PaaS tool

TAKEAWAYS

This new PaaS tool could appeal to skilled malicious actors and beginners alike, providing an easy-to-use tool for stealing sensitive data while bypassing MFA protection mechanisms. Indeed, this tool appears capable of phishing campaigns that compromise Microsoft 365 accounts.

With Paas tools l closing the skill gap and providing novice attackers the means to steal data from valuable accounts, all organizations must instruct employees not to click on links or attachments in suspicious emails. Specifically, users should double-check email senders’ identities before opening attachments or clicking links. They should also remain vigilant with regard to misspelled URLs to avoid entering credentials into fraudulent websites. Finally, organizations should instruct personnel to exercise additional caution when using MFA codes for corporate services.

1. ^{A reverse proxy is a server that sits in front of one or more web servers, intercepting requests from clients.}

2. ^{As their name implies, Phishing-as-a-Service (PaaS) operations provide phishing tools in exchange for a fee.}

3. ^{API (Application Programming Interface) keys are authentication mechanisms used to identify and authorize access to cloud services.}

4. ^{Telegram bots are automated programs or scripts that perform various tasks, which can be exploited in phishing campaigns.}

5. ^{Adversary-in-the-middle (AitM) techniques capture data such as credentials and session cookies web services. They bypass security mechanisms and compromise corporate email accounts, attacking communication between two components, typically client and server, to alter or obtain the exchanged data. Attackers secretly relay communications between the parties, who remain unaware that an adversary exists between them capable of harvesting or manipulating data.}

6. ^{A session cookie is a file containing an identifier (a string of letters and numbers) that a website server sends to a browser for temporary use during a limited timeframe.}

7. ^{HyperText Markup Language (HTML) is the code that used to structure a web page and its content. For example, content could be structured within a set of paragraphs, a list of bulleted points, or using images and data tables.}

8. ^{Microsoft Office 365 is a cloud-based productivity suite with applications such as Word, Excel, PowerPoint, Outlook, OneDrive, Teams, and more.}

9. ^{Alibaba is a China-based multinational e-commerce platform company that operates multiple sites, including Alibaba.com, Taobao, and Tmall.}

10. ^{LinkedIn is a professional/career-oriented social networking platform, which contains contact information and other details about its users.}

11. ^{The ZoomInfo platform specializes in business-to-business (B2B) data and intelligence, providing comprehensive company and contact information.}