Increased Phishing Attacks Disguised as Microsoft

The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages.

As shown in the figure below, one of the collected samples is disguised as the company’s voice message to prompt users to click the attached playback file. Clicking the file redirects users to a phishing webpage disguised as a Microsoft login page.

Figure 1. Phishing sample 1

Another sample is an attachment disguised as a file that is sent with a scanner, prompting users to click the attachment. Again, clicking the file redirects users to a phishing webpage disguised as a Microsoft login page.

Figure 2. Phishing sample 2

For both samples, clicking the attachment redirects users to a webpage that looks similar to a Microsoft login webpage (see Figure 3 and 4). The webpage already has the email address entered and only requires users to fill in the password. As for the sample in Figure 4, the website first displays a webpage disguised as an auto-login process. It then acts as if the auto-login failed, redirecting users to a phishing webpage that requires user account credentials. Since the login process is similar to that of Microsoft, users may enter their passwords without doubting it.

Figure 3. Phishing webpage of Sample 1
Figure 4. Phishing webpage of Sample 2

The phishing webpages for the samples are created by decoding the percent-encoding string within the script and writing it in the DOM (see Figure 5), with the decoding process performed repeatedly. Removing the encoding with unescape shows the HTML that will be ultimately rendered (see Figure 6).

Figure 5. Script code configuration of phishing webpage
Figure 6. Decoded HTML

After entering the password and clicking the login button from the phishing website, the password is sent to the attacker’s server unrelated to Microsoft (see Figure 7).

Figure 7. Stealing account password

As the attacker can gain access to the user’s company email account with the stolen account credentials and leak sensitive information, extreme caution is advised.

Users should refrain from opening attachments in emails from unknown sources and entering account credentials in suspicious webpages.

AhnLab is currently blocking the domain of this phishing page.

[IOC]
– hxxps://highestindroom2021[.]com/x/data.php
– hxxps://ivghsot[.]com/lab.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

3 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments