In this blog post, Rapid7’s Managed Detection and Response (MDR) services team outlines a unique phishing campaign that utilizes a novel method of scraping organizations’ branded Microsoft 365 tenant login pages to produce highly convincing credential harvesting pages. This blog post was co-authored by Lonnie Best and Andrew Christian.

In mid-July 2019, Rapid7’s MDR service responded to a phishing attack against several users in a customer environment. The phishing emails that led to the initial investigation appeared as follows:

Upon investigation into what looked to be a rather normal phishing attempt, the attack quickly appeared to be very targeted. Typical phishing attacks attempting to gather credentials from Microsoft Office 365 users utilize fake “login” pages bearing prototypical Office 365 images and logos (often pulled directly from Microsoft hosting). However, the login page in this instance, while being hosted on legitimate Microsoft infrastructure (using the blob.core.windows[.]net and azurewebsites[.]net domains, which is not uncommon in phishing campaigns as of late), bore a background image and banner logo matching those of the target organization’s Office 365 tenant login page (not displayed here due to confidentiality concerns).

Rapid7 MDR analysts identified calls to the domain xeroxprofessionalsbusiness[.]vip during the phishing routine, which appeared to run a check of the targeted user against a predetermined list, leading to further examination of the attacker’s infrastructure. There, we identified a listing of PHP files and corresponding text files in corresponding and ascending order appended with digits 1 through 10 (e.g., chekeml#.php and valid#.txt, where # is a number between 1 and 10).
On July 17, 2019, the number of chekeml#.php and valid#.txt file pairs increased from 10 to 20.

The PHP files involved revealed no useful information other than the naming convention, which seems to indicate that they are used to run a check of an email address. However, each text file contains lists of thousands of validated email addresses, of which the email addresses of the phished users discovered by MDR were included.

Further examination of the domains included in the validated email addresses points to a phishing campaign at least initially targeting a spectrum of industry verticals, including financial, insurance, medical, telecom, and energy. This put a dent in the initial speculation that the phishing emails were highly targeted, but led analysts to discover a seemingly new tactic in use by the attackers.

When logging into Office 365 from a primary 365 login address (i.e., login.microsoftonline.com), upon submitting a valid email address for which a branded tenant page is available, the user’s login is redirected to the corresponding tenant login page for the organization.

When configuring Office 365, an organization has the option to set a background logo and background image for the specific tenant’s login page. Whenever a user is successfully redirected to a tenant login page, calls for the background and banner logo are performed via specific HTTP GET requests, and can be downloaded or scraped by anyone who provides a valid email address and is redirected to the tenant page. (Links to these image files are also hard-coded into the HTML source code for the tenant login page.)
When configuring such options as the banner logo, a unique link is generated that appears similar to the following:
https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-2xsidmx46vvcjb212xsf5mvmhdtasdfudy9rin2big/logintenantbranding/0/bannerlogo?ts=63685345634565969162

In the case of the particular phishing campaign, the images appear to be dynamically inserted into the phishing landing page via the following mechanism:
https://xeroxprofessionalsbusiness[.]vip/api/logo.php?email=USER@DOMAIN.com

Here, the user is first validated via what would appear to be the valid#.txt files, and then a link containing the company’s logo image is generated and inserted into the phishing page via the following:
{“Bnr”:https://secure.aadcdn.microsoftonline-p.com/<unique>/logintenantbranding/0/bannerlogo?ts=<unique>}

In a similar fashion, the background image is generated by running the phished user account against /api/back.php. This combines to create a semi-targeted and rather convincing credential harvesting page tailored to the user’s organization. In the case that a validated organization does not have a custom branded tenant page, the phishing kit is designed to utilize the default Office 365 background image:

Our MDR services team was able to correlate this default mechanism through a review of open-source information, in which organizations described being presented with a “classic” fake Office 365 landing page. It appears that most email subject lines are formatted with some variant of <username> (You) have 7 new emails, and have been observed being sent from the IP address 64[.]8[.]71[.]22 and the domains synacor[.]com or wolffbros[.]com.

The base URL for the attacker infrastructure, https://xeroxprofessionalsbusiness[.]vip, presents with a default WordPress site with the page title Aflam zaman أفلام زمان (an Arabic phrase literally translating to “Movies from Old” or roughly “Old-time Movies”), with a blog title of “Give Helping Hand to those who need it” (part of the default packaging of the “NGOworx” WordPress theme produced by a company called Themeworx)—the combination of which is either the typically random text so often observed in such attacker infrastructure, or perhaps could be viewed as a tongue-in-cheek reference to the attacker sitting back and watching as victims hand over their credentials.

Virtually all links in the source code of the WordPress page point to the domain aflamzman[.]ml, registered in the United States by Freedom Registry, Inc. According to WhoIs information, the primary domain, xeroxprofessionalsbusiness[.]vip, is registered via NameCheap, Inc., initially registered in November 2018, but updated as recently as July 24, 2019. At the time of analysis, the domain resolved to 212[.]24[.]103[.]108, belonging to a Lithuanian organization, UAB "Interneto vizija". This is notable, as Rapid7 MDR has observed an increase in abuse of Lithuanian infrastructure by attackers in recent weeks.

So far, this phishing campaign appears to be targeting specifically users of Microsoft Office 365, so organizations utilizing this service should be diligent in implementing multi-factor authentication (either through Office 365 directly or via a third-party solution) and implementing structured user phishing awareness training programs in order to equip users to spot and report phishing attempts.

Looking for 24/7/365 security monitoring? Learn more about our Managed Detection and Response (MDR) services.

Learn More