silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,176
A fresh tactic for phishing Office 365 users employs credential-harvesting forms hosted on Azure Blob storage – signed with legitimate Microsoft SSL certificates to lend an air of legitimacy.
Azure Blob Storage is a cloud storage solution for hosting unstructured data such as images, video or text. The storage can be accessed using both HTTP and HTTPS connections, and when using HTTPS, a signed SSL certificate from Microsoft will be displayed.
According to Netskope, a recent phishing attack saw attackers sending spam with PDF attachments, which were disguised as documents of a law firm in Denver. The file name displayed “Scan files…, please review,” and the email contained a download button with a link.
When the user clicks on the button, they’re directed to an HTML page that appears to be the Office 365 login form stored in the Microsoft Azure Blob storage solution. There’s very little to tip off the recipient that the link is malicious; the address is a valid Blob address (containing “blob.core.windows.net” in the URK), and it’s marked as a secure site thanks to the SSL certificate. Even if the user checks the certificate, he or she will see a signature issued by Microsoft IT TLS CA 5.