Security

Phishing Attack on Azure Blog Storage Dodges Users by Displaying a Signed SSL Certificate from Microsoft

A latest phishing attack on Office 365 has been observed to be using a phishing attack which seemingly utilizes a different and a rather interesting technique of storing their phishing form that is being hosted on Azure Blog Storage, Bleeping Computer reported.

Azure Blob Storage is a storage solution by Microsoft which can be utilized for storage of unstructured data like video, images and text. One of the main benefits of Azure Blob storage is that it is accessible by both HTTPS and HTTP. When connecting through HTTPS , it will show an SSL certificate signed from Microsoft. The new phishing attack stores the phishing form in Azure Blob Storage which will naturally ensure that the displayed form is signed by an SSL certificate obtained from Microsoft. Thereby, it creates a unique method of phishing forms which target services of Microsoft like Azure AD, Office 365 and other similar Microsoft logins.

A recent similar discovery was made by Netskope which showed that through this innovative method, the bad actors are giving out spam emails that have PDF attachments which pretend that they have been sent by a Denver law form. These attachments are named as “Scanned Document… Please Review.pdf”. They contain a simple button for downloading a fake PDF of a supposed scanned document. As users click on this PDF link they are brought to an HTML page which pretends to be a login form of Office 365 which is stored on Microsoft Azure Blob storage solution. Since this page is being hosted by a Microsoft service as well, it gets an additional advantage of being a site with a secure SSL certificate. If the strange URL even surprises the users, the signed SSL certificate will satisfy them that it has been issued by Microsoft IT TLS CA 5.

Signed SSL Certificate -Bleeping Computer
Signed SSL Certificate -Bleeping Computer

The user when enters their information, the contents will be submitted to a server which is being operated by the phishing attackers. The opened page will pretend that the document is beginning to download but it ultimately just redirects the user to this URL: https://products.office.com/en-us/sharepoint/collaboration Microsoft site.

Bleeping Computer reports that Netskope has recommended that companies should properly educate their users so that they are able to recognize any non-standard webpage addresses.

Close