Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Outlook. Show all posts
Vulnerabilities and Exploits
Cisco Cybersecurity CyberThreat Excel Hackers macOS Microphone Microsoft App OneNote Outlook TCC Transparency Data Vulnerabilities and Exploits

Mac Users Targeted by Hackers Through Microsoft App Security Flaw

 


During the past couple of weeks, Cisco Talos, one of the world's most respected cybersecurity companies known for its cutting-edge cybersecurity products, has discovered at least eight security vulnerabilities. As a result of these bugs, researchers have found that the cameras and microphones of users of those applications may be accessed by attackers who exploit them for malicious purposes. In addition to this, a vulnerability like this could be exploited to steal other types of sensitive information, which can have a detrimental effect on the security of the system as well. 

It has been reported that many widely used Microsoft apps, including Word, Outlook, Excel, OneNote, Teams, and others, have been affected. To carry out this attack, malicious libraries to gain access to the user's entitlements and permissions are injected into Microsoft apps so that hackers can access a user's entitlements and permissions. According to the problem, this result is caused by the fact that Microsoft apps work with the Transparency and Consent framework on macOS, which allows applications to manage their permissions on a system with the Transparency Consent framework. 

The security vulnerability found in Microsoft's Mac apps made it possible for hackers to spy on Mac users without their knowledge. A security researcher from Cisco Talos posted a blog post explaining how attackers could exploit the vulnerability in Windows and what Microsoft has been doing to fix the problem. According to Cisco Talos, a security company, Microsoft's macOS apps, like Outlook, Word, Teams, OneNote, and Excel, contain a major flaw that renders them unusable. By taking advantage of this vulnerability, attackers can inject malicious libraries into these apps, which will give them access to the permissions and entitlements granted by the user. 

According to Apple's macOS framework, permission-based data collection relies on the Transparency, Consent, and Control framework, which is composed of three components. As a result, macOS will request permission from the user before running new apps and display prompts when an app asks for sensitive information, for example, contacts, photos, webcam data, etc. when the user wants to grant permission from the computer. It is important to understand that the severity of these vulnerabilities varies depending on the app and its permissions. 

There are several ways in which Microsoft Teams, which is a popular tool for professional communication, could be exploited to capture conversations or access sensitive information, for instance. As another example, the report notes that Microsoft Outlook may be used to send unauthorized emails and, ultimately, cause data breaches, according to the report. With the help of TCC, apps must request certain entitlements to access certain features such as the camera, microphone, location services, and other features on the smartphone. 

A majority of apps do not even have to ask for permission to run without these entitlements, preventing access to unauthorized users. Cisco Talos' discovery of the exploit, however, shows that malicious actors are capable of injecting malicious code into Microsoft apps, which then hijacks the permissions that were granted to those apps previously. It means that an attacker with the correct skills can successfully inject code into a software application such as Microsoft Teams or Outlook and gain access to a Mac computer's camera or microphone, allowing them to record audio or take photos without the user's knowledge to do so. 

It was found by Cisco Talo that Microsoft has made an acknowledgement of these security flaws in its applications and has classified them as low risk, in response to Cisco Talo's findings. Additionally, some of Microsoft's applications, including Teams and OneNote, have been updated to address the problem with library validation in these applications. As for other vulnerable apps from Microsoft, such as Excel, PowerPoint, Word, and Outlook, the company has not yet taken action to fix them. Security Concerns Raised Over Vulnerabilities in Microsoft Apps for macOS Recent findings by cybersecurity experts at Cisco Talos have brought to light significant vulnerabilities in popular Microsoft applications for macOS. 

These flaws, discovered in apps such as Outlook, Teams, Word, and Excel, have alarmed users and security professionals alike, as they allow hackers to potentially spy on Mac users by bypassing Apple's stringent security measures. The issue revolves around macOS's Transparency, Consent, and Control (TCC) framework, which is designed to protect users by requiring explicit consent before apps can access sensitive data, such as cameras, microphones, or contacts. However, Cisco Talos researchers uncovered that eight widely used Microsoft apps contained vulnerabilities that could be exploited by attackers to bypass the TCC system. 

This means that hackers could potentially leverage the permissions already granted to these apps to spy on users, send unauthorized emails, or even record videos—all without the user’s knowledge or consent. The researchers expressed concerns about Microsoft’s decision to disable certain security features, such as library validation. This safeguard was originally intended to prevent unauthorized code from being loaded onto an app. 

However, Microsoft’s actions have effectively circumvented the protections offered by the hardened runtime, potentially exposing users to unnecessary security risks. Despite addressing some vulnerabilities, Microsoft has not yet fully resolved the issues across all its macOS applications, leaving apps like Excel, PowerPoint, Word, and Outlook still susceptible to attacks. This partial response has led to further concerns among security experts, who question the rationale behind disabling security measures like library validation when there’s no clear need for additional libraries to be loaded. 

The Cisco Talos team also pointed out that Apple could enhance the security of the TCC framework. One suggestion is to introduce prompts for users whenever third-party plugins are loaded into apps that have already been granted sensitive permissions. This added layer of security would help ensure that users are fully aware of any unusual or unauthorized activities within their applications. Given the current state of these vulnerabilities, both Microsoft and Apple may need to take more proactive steps to protect their users from potential threats. 

As digital communication tools continue to play a critical role in our daily lives, the importance of robust security measures cannot be overstated. In the meantime, Mac users who rely on Microsoft applications are advised to remain vigilant. Keeping their software up to date and monitoring for any unusual activities can help minimize the risk of exploitation. While these companies work on strengthening their defenses, user awareness and caution remain key to navigating the ever-evolving landscape of cybersecurity threats.
Read more »
Security
Cyber Attacks Data Leak data security Hackers Hacks Microsoft Outlook Safety Security

Microsoft Acknowledges Hacking Incident Targeting Outlook and OneDrive in June

 

Microsoft faced significant service disruptions in early June, affecting their flagship office suite, including Outlook email and OneDrive file-sharing apps, as well as their cloud computing platform. A hacktivist group called Anonymous Sudan claimed responsibility for these disruptions, conducting distributed denial-of-service (DDoS) attacks by flooding the sites with junk traffic.

Initially, Microsoft was hesitant to reveal the cause but has now confirmed that the DDoS attacks from the aforementioned group were indeed responsible. However, the company has provided limited details and did not immediately comment on the number of affected customers or the global impact. Microsoft confirmed that Anonymous Sudan was behind the attacks, as claimed by the group on its Telegram social media channel. Some security researchers suspect the group to have ties to Russia.

Following a request by The Associated Press, Microsoft published an explanation in a blog post on Friday evening. However, the post lacked specific information, stating that the attacks temporarily affected the availability of some services. It also mentioned that the attackers aimed for disruption and publicity, likely utilizing rented cloud infrastructure and virtual private networks to bombard Microsoft servers using botnets comprised of infected computers worldwide.

Microsoft clarified that there was no evidence of customer data being accessed or compromised during the attacks. While DDoS attacks primarily cause inconvenience by rendering websites unreachable, experts emphasize that they can still disrupt the work of millions, especially if they successfully interrupt the services of major software service providers like Microsoft, which play a crucial role in global commerce.

The extent of the impact caused by the attacks on Microsoft's services remains unclear.

“We really have no way to measure the impact if Microsoft doesn’t provide that info,” said Jake Williams, a prominent cybersecurity researcher and a former National Security Agency offensive hacker. Williams said he was not aware of Outlook previously being attacked at this scale.

“We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Williams added. He said Microsoft’s apparent unwillingness to provide an objective measure of customer impact “probably speaks to the magnitude.”

Microsoft referred to the attackers as Storm-1359, a designation used for groups whose affiliation with the company is yet to be established. Determining the identity of adversaries in cybersecurity investigations can be a time-consuming challenge, particularly when they possess advanced skills.

Pro-Russian hacking groups, including Killnet, which cybersecurity firm Mandiant links to the Kremlin, have been conducting DDoS attacks on government and other websites affiliated with Ukraine's allies. In October, some U.S. airport sites were targeted. Analyst Alexander Leslie from Recorded Future, a cybersecurity firm, stated that it is unlikely for Anonymous Sudan to be located in Sudan, as they claim, and suggested that the group collaborates closely with Killnet and other pro-Kremlin groups to disseminate pro-Russian propaganda and disinformation.

Edward Amoroso, CEO of TAG Cyber and a professor at NYU, emphasized that the Microsoft incident highlights the ongoing and “a significant risk that we all just agree to avoid talking about. It’s not controversial to call this an unsolved problem". He suggested that the best defense against such attacks is to distribute services widely, such as by utilizing a content distribution network.

Security researcher Kevin Beaumont noted that the techniques employed by the attackers are not new, with one dating back to 2009.

On Monday, June 5, serious impacts from the Microsoft 365 office suite interruptions were reported, reaching a peak of 18,000 outage and problem reports on the Downdetector tracker shortly after 11 a.m. Eastern time.

Microsoft acknowledged the disruption of services, including Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business. The attacks persisted throughout the week, and Azure, Microsoft's cloud computing platform, was confirmed to have been affected on June 9. During this time, OneDrive's cloud-based file-hosting experienced a global outage, although the desktop clients remained unaffected.
Read more »
Outlook
Anonymous Sudan Cloud Platform Cyber Attacks Cyberattack DDOS Attack Microsoft Outlook

Microsoft: Disruptions in Outlook, Cloud Platform Services Were Caused by a Cyberattack


Earlier this June, some periodic but significant disruptions could be seen in Microsoft’s flagship office suite. That cyberattack disrupted services of Microsoft affiliated apps like Outlook email and OneDrive file sharing app along with cloud computing platform. After the attack was confirmed, an anonymous hacktivist seems to have taken the blame, claiming to have flooded the sites with traffic through their distributed denial-of-service (DDoS) attacks.

Microsoft was initially hesitant to admit that DDoS attacks by the murky upstart were to blame, but has since admitted that this was the case.

Although, they did not immediately confirm the number of customers affected by the attack or whether it had any global impact, Microsoft has now provided certain details on the matter.

A Microsoft spokesperson stated that the threat group behind the attacks has confirmed to have been ‘Anonymous Sudan.’ At the time, it took ownership of the situation via its Telegram social media channel. Some cybersecurity experts think the group is based in Russia.

On Friday, an explanation on the matter by Microsoft was published in a blog post following a request from The Associated Press made two days prior. The post, which was sparse on data, stated that the attacks "temporarily impacted availability" of some services. According to the report, the attackers targeted "disruption and publicity" and used probable rented cloud infrastructure and virtual private networks to flood Microsoft servers with attacks from so-called botnets of zombie machines spread around the world.

According to Microsoft, there is no proof that any customer information was accessed or compromised.

In regards to the severity of attacks, Jake Williams, a prominent cybersecurity researcher and a former NSA offensive hacker says “We really have no way to measure the impact if Microsoft doesn’t provide that info.” William added he was unaware of Outlook being attacked previously at this scale.

“We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Williams added. “Microsoft’s apparent unwillingness to provide an objective measure of customer impact probably speaks to the magnitude,” he said.

While DDoS attacks do not come under the severity radar in cyber activities since they only make websites inaccessible without even penetrating them, security professionals believe that they can however disrupt the operations of several million of online users if they are successful in exploiting services of software service giants, like Microsoft, since a large chunk of global commerce rely on such organizations.

Read more »
phishing
Cyber Attacks CyberCrime DDoS Email Microsoft 365 Microsoft Outlook Outlook phishing

Outlook Services Paralyzed: Anonymous Sudan's DDoS Onslaught

 


In the last few days, several distributed denial-of-service (DDoS) attacks have been launched against Microsoft Outlook, one of the world's leading email providers. Anonymous Sudan, a hackers' collective, has launched DDoS attacks against Microsoft Outlook. The attacks, which aim to disrupt services and create concerns about various issues, have disrupted Outlook users worldwide. Additionally, online platforms are quite vulnerable to cyber threats because they are hosted online. 

Several outages have been reported today on Outlook.com for the same reason as yesterday's outages. Anonymous Sudan, an Internet hacking collective, claims that it performs DDoS attacks against the service on hackers' behalf. 

It has been claimed, however, that the hacktivist group Anonymous Sudan is responsible for the attack. They assert that they are conducting a distributed denial of service (DDoS) attack on Microsoft's service in protest of US involvement in Sudanese internal affairs by operating cyberattacks against its infrastructure. 

Approximately 1 million Outlook users across the globe have been affected by this outage, which follows two more major outages yesterday. Due to this issue, Outlook's mobile app cannot be used by users in a wide range of countries as users cannot send or receive emails. 

There have been complaints on Twitter about Outlook's spotty email service. Users assert that it has impacted their productivity as a result. 

It was announced over the weekend that the hacktivist group would be launching a campaign against the US as a response to the US interference in Sudanese internal affairs recently as part of its anti-US campaign. They cited the visit made by Secretary of State Antony Blinken to Saudi Arabia last week, in which he discussed the ongoing humanitarian situation in the country. 

There has also been an announcement by the White House that economic sanctions will be imposed on various corrupt government entities in Sudan, including the Sudanese Armed Forces (SAF) and the Rapid Support Forces (RSF), which are considered responsible for the escalation of the conflict. 

In response to this, Anonymous Sudan launched a distributed denial of service attack in late November, targeting the ride-sharing platform Lyft, in an attempt to overload a site or server with bot requests, thereby essentially bringing it to a standstill. 

It is also worth noting that several regional healthcare providers across the country were also taken offline during the weekend campaign.

Email communication was interrupted by several disruptions, including delayed or failed delivery of messages, intermittent connectivity problems, and slow response times. This was as a result of this issue. Individual users were inconvenienced by these interruptions; however, businesses that rely on Outlook for their day-to-day operations were also facing challenges as a result of these disruptions. This attack demonstrates the vulnerability of online platforms and emphasizes the need for robust cybersecurity measures to guard against threats of this nature. This is to ensure online platforms remain secure. 

In many tweets posted to Twitter by Microsoft, the company has alternated back and forth between saying they have mitigated the issue and that the issue is back again, implying that these outages are caused by technical issues. 

A group called Anonymous Sudan is claiming responsibility for the outages, claiming they are out to protest the US infiltrating Sudanese internal affairs through its involvement in the DDoS attacks against Microsoft and claim responsibility for the outages as well.

As a result of the continuous DDoS attacks on Microsoft Outlook and Microsoft 365 services, the group has been taunting Microsoft in its statements in the past month. 

There is increasing evidence that Microsoft Outlook continues to suffer crippling attacks from Anonymous Sudan, which frequently result in the suspension of service and the growth of concerns about the security of the online environment due to DDoS attacks launched by Anonymous Sudan. It has been observed that these deliberate disruptions hurt the user experience and the online platform. This is because these disruptions expose them to cyber threats. 

This ongoing situation only confirms the importance of cybersecurity measures to safeguard critical online services. The necessity of introducing these measures would be essential to ensure their protection in the future. Additionally, it raises questions about the platform's ability to cope with persistent and coordinated attacks on its cybersecurity system. 

The case between Anonymous Sudan and Microsoft in a world where cybersecurity threats are increasing by the day, serves as a timely reminder of the importance of continuous vigilance. This is to prevent these threats from becoming stronger as they progress in a direction not fully understood by users.
Read more »
Yahoo
Cryptography Cyber Crime Email Attacks Encryption Gmail Outlook Protonmail User Privacy Yahoo

Is Data Safeguarded by an Encrypted Email Service?

Email is the primary form of communication in both our personal and professional lives. Users might be surprised to hear that email was never intended to be secure due to our dependency on it. Email communication carries some risks, but you may still take precautions to protect your inbox. 

What is encryption in email?

One of the most important applications for practically any organization nowadays is email. Additionally, it's among the primary methods for malware to infect businesses.

Email encryption is the process of encrypting email communications to prevent recipients other than the intended ones from seeing the content. Authentication may be included in email encryption.

Email is vulnerable to data exposure since it is usually sent in clear text rather than encryption. Users beyond the intended receivers can read the email's contents using tools like public-key cryptography. Users can issue a public key that others can use to encrypt emails sent to them, while still holding a private key that they can use to decrypt those emails or to electronically encrypt and verify messages they send.

Impacts of an Encrypted Email Service

1. Safeguards Private Data 

It is crucial to ensure that only intended recipients view the material sent via email as it frequently contains sensitive data and business secrets. It is also vital that cyber criminals are unable to decrypt the data being transmitted between people. 

Services for encrypted email are created in a way that protects user privacy rather than invading it. Not simply because they are run by very small teams, but also because their platforms were created with security in mind, encrypted email services are intrinsically more secure. To begin with, the majority employ zero-access encryption, which ensures that only the user has access to confidential data.

2. Cost-effective 

It is not necessary to buy additional hardware whenever the server which hosts the email service currently includes encryption. Many firms have invested in their own servers although it might not be essential.  A reliable third-party service is substantially less expensive.

3. Barrier Against Government Monitoring 

One can learn everything you need to know about Gmail and Yahoo from the fact that no major whistleblower, activist, dissident, or investigative reporter trusts them to transmit sensitive information, at least in terms of government surveillance. Google, for instance, makes it very plain on its official website that it reserves the right to accede to requests from the government and provide useful information.ProtonMail is founded in Switzerland, a country with some of the world's strongest privacy rules.

4. Prevents Spam

Spam attachments frequently contain malware, ensuring that hackers gain access. When you or another person uses encrypted email to deliver attachments, the email includes a digital signature to verify its authenticity. No individual will accept spoofed emails this way. 

Establish strong digital practices to prevent exposing oneself vulnerable. Update your hardware and software. We must improve internet security measures as our reliance on technology increases. Services for secure, encrypted email provide everything that caters to your privacy needs. 

Read more »
User Priavcy
Cyber Security MFA Microsoft Azure Multi-factor authentication Outlook User Priavcy

Microsoft Now Permits IT Administrators to Evaluate and Deactivate Inactive Azure AD users

 

Azure Active Directory has received a handful of security updates from Microsoft. In preview, the business has unveiled a new access reviews tool that allows enterprises to delete inactive user accounts which may pose a security concern. Users who created the new Azure AD tenant after October 2019 received security defaults, however, customers who built Azure AD tenants before October 2019 did not receive security defaults. 

According to Microsoft, the Azure AD security defaults are utilized by around 30 million companies today, and the defaults will be rolled out to many more organizations, resulting in the settings protecting 60 million more accounts. IT admins could now terminate Azure AD accounts that haven't signed in for a certain number of days. 

The Azure Active Directory Identity Governance service now includes the new access review feature. It's useful for companies who don't want contractors or former employees to have access to sensitive data. Azure Active Directory (Azure AD) is a Microsoft cloud service that manages identification and authentication for on-premise and cloud applications. In Windows 2000, it was the advancement of Active Directory Domain Services. 

"The term "sign-in activity" refers to both interactive and non-interactive sign-in activities. Stale accounts may be automatically removed during the screening process. As a result, your company's security posture increases," Microsoft explained. 

According to Alex Weinert, Microsoft's director of identity security, the defaults were implemented for new tenants to ensure that they had "minimum security hygiene," including multi-factor authentication (MFA) and contemporary authentication, independent of the license. He points out that the 30 million firms which have security defaults in place are significantly less vulnerable to intrusions.

This month, Microsoft will send an email to all global admins of qualified Azure AD tenants informing them of security settings. These administrators will receive an Outlook notification from Microsoft in late June, instructing them to "activate security defaults" and warning of "security defaults will be enforced automatically for respective businesses in 14 days." All users in a tenant will be required to register for MFA using the Microsoft Authenticator app after it has been activated. A phone number is also required of global administrators.
Read more »
Spam
Banking Trojan Cyber Attacks Cyberattacks DHL Express DLL load hijacking Emotet Kaspersky malspam Outlook PayPal PowerShell Spam

Emotet : The Infamous Botnet Has Returned

 

Kaspersky researchers were able to retrieve and analyze 10 out of 16 modules, with most having been used by Emotet in the past in one form or another. Kaspersky Lab was created in 1997 as multinational cybersecurity and digital privacy organization. Kaspersky's deep risk intelligence and security expertise are continually evolving into new security solutions and services to safeguard enterprises, vital infrastructure, governments, and consumers all around the world. 

Emotet was discovered in the wild for the first time in 2014. Its major purpose back then was to steal user's financial credentials. Since then, it has gone through several modifications, began transmitting other viruses, and eventually evolved into a strong botnet. Emotet is a type of malware classified as banking Trojans. Malspam, or spam emails with malware, is the most common way for it to propagate. To persuade users, these communications frequently contain familiar branding, imitating the email structure of well-known and trustworthy companies such as PayPal or DHL. 

As per Kaspersky telemetry, the number of victims increased from 2,843 in February 2022 to 9,086 in March 2022, indicating the attackers targeted more than three times the number of users. As a result, the number of threats detected by Kaspersky solutions has increased, from 16,897 in February 2022 to 48,597 in March 2022. 

A typical Emotet infection starts with spam e-mails containing malicious macros in Microsoft Office attachments. The actor can use this macro to launch a malicious PowerShell command which will drop and start a module loader, which will then talk with a command and control server to download and start modules. In the percent Windows percent SysWOW64 or percent User percent AppDataLocal directory, Emotet creates a subfolder with a random name and replicates itself under a completely random name and extension. The exported Control RunDLL method is used to launch the Emotet DLL's primary activity. These modules can be used to carry out a range of actions on the infected computer. Kaspersky researchers were able to extract and evaluate 10 of the 16 modules, the majority of which had previously been utilized by Emotet. 

Researchers now state that the Emotet can download 16 modules judging by the recent Emotet protocol and C2 answers. They were able to recover ten of them (including two separate copies of the Spam module), which were utilized by Emotet to steal credentials, passwords, accounts, and e-mail addresses, as well as spam. We present a brief examination of these modules and also statistics on current Emotet attacks in this post. 

To gather the account details of various email clients, the current version of Emotet can create automated spam campaigns which are further spread down the network from infected devices, retrieving emails and email addresses from Thunderbird and Outlook apps and accumulating passwords from popular web browsers like Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 

Emotet infects computers in businesses and homes all around the world. As per our telemetry, Emotet most frequently targeted users from the following countries in Q1 2022: Italy (10.04%), Russia (9.87%), Japan (8.55%), Mexico (8.36%), Brazil (6.88%), Indonesia (4.92%), India (3.21%), Vietnam (2.70%), China (2.62), Germany (2.19%) and Malaysia (2.13%). 

The present set of components is capable of a wide range of malicious activities, including stealing e-mails, passwords, and login data from a variety of sources, as well as spamming. Except for the Thunderbird components, Emotet has utilized all of these modules in some form or another before. However, there are still a few modules that we haven't been able to get our hands-on.
Read more »
Outlook
Iranian hackers Linkedin Microsoft Outlook

99 Iranian websites used for hacking were seized by Microsoft

                    




According to a report by Associated Press, Microsoft has seized 99 Iranian websites that were supposedly stealing information and launching cyber attacks. The report also said that it had been tracking the group of hackers since 2013.

The hackers were targeting people in the middle east to steal sensitive information by using the malicious websites that were disguised as Microsoft, Linkedin, Outlook and Windows products. Microsoft confirmed in a court filing that this group was stealing information about reporters, activists, political people including “ protesting oppressive regimes”.

The hackers are from Iran but the Tehran government has denied any hacking activity from their end. In the past also Iran government has denied any hacking attempts from their end.

Allison Wikoff, a security researcher at Atlanta-based SecureWorks told Associated Press that according to her observation it is one of the “more active Iranian threat groups”. She further added that Microsoft analyze fake domains through analyzing traffics to protect against fake domains and the practice is popularly called as “sinkholing”.In the past also, Microsoft has used “sinkholing” to seize fake domains made by Russian hackers back in 2016.







Read more »
SSL certificate.
Azure Blob Storage Landing pages Microsoft Outlook phishing Phishing emails SSL certificate.

Phishing Attacks on Microsoft and Outlook; By Way of Microsoft’s Azure Blob Storage




Two major phishing campaigns have been discovered by the researchers which uses Microsoft’s Azure blob to steal details from Outlook and Microsoft accounts.


Both the campaigns employ real-looking landing pages which make use of SSL certificates and the windows.net domain to seem authentic.

The first phishing email goes around asking the receivers to log into their office 365 account to update the information.

The emails happened to have “Action Required: (email address) information is outdated-Re-validate now!!” in their subject boxes.

The moment a user clicks on the link provided in the mail, they will be directed to a landing page which fake-acts as the organization’s Outlook Web App.

This landing page is what does the main task of stealing the credentials from the user.

The second one works on stealing users’ Microsoft account details and credentials.

The process to lure in the user starts from Facebook’s workplace service and ends up taking the user to a Microsoft’s landing page.

This could either be s single-sign-on approach or a mixed up campaign for luring victims in.

The Microsoft account the users are brought to, is fairly legit looking as it uses the same form and the same background for that matter.

Both the landing pages make use of Azure Blog Storage to make them look convincing and as far as possible, legitimate.

All Microsoft Azure does is that is adds legitimacy to the landing pages used by the phishing-cons to target the Microsoft services.

The Azure Blob storage URLs use the windows.net domain making the landings look fairly legitimate.

One of the phishing links which is not in use anymore had the URL-  https://1drive6e1lj8tcmteh5m.z6.web.core.windows.net/ and the domain name seemed to do the trick.

Also, every URL on Azure Blob Storage happens to be using a wildcard SSL certificate from Microsoft, making every landing page get a “lock symbol”.

This would exhibit a Microsoft certificate every time a user would try to click on the certificate to check who signed, making the entire sham all the more believable.

To steer clear of such phishing attack one thing need to be kept in mind that the original login forms from Outlook and Microsoft could indubitably have outlook.com, live.com, and Microsoft.com as their domain names.

Read more »
Subscribe to: Posts (Atom)