Abusing Microsoft’s Azure Domains To Host Phishing Attacks (Jul 16, 2019)
Zscaler ThreatLabZ team has detected phishing attacks that leverage Microsoft Azure custom domains. The threat actors behind this malicious activity signed their phishing sites with a Microsoft SSL certificates in an attempt to make the websites appear authentic. The phishing email being sent contained a link that once activated, redirects to an Outlook login phishing page hosted using the Azure domain. Once the login information is entered by the user, the form will post the user’s credential details to the compromised domain that is operated by the attacker. Microsoft was notified of the attacks and quickly engaged to shut these sites down, and Zscaler detected and blocked 2,000 phishing attempts from these domains over a six-week period.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.