Microsoft security researchers discovered an unusual phishing campaign which employs custom 404 error pages to trick potential victims into handing out their Microsoft credentials.
To do this, the attackers register a domain and instead of creating a single phishing landing page to redirect their victims to, they configure a custom 404 page which shows the fake login form.
This allows the phishers to have an infinite amount of phishing landing pages URLs generated with the help of a single registered domain.
"The 404 Not Found page tells you that you’ve hit a broken or dead link – except when it doesn’t,"
says Microsoft's research team.
"Phishers are using malicious custom 404 pages to serve phishing sites. A phishing campaign targeting Microsoft uses such technique, giving phishers virtually unlimited phishing URLs."