Microsoft Warns About Email Phishing Kit

June 28, 2023

Microsoft warns of Large-Scale use of Email Phishing Kit to send millions of emails daily. A sophisticated phishing campaign targeting credentials for Microsoft email services has launched, employing a custom proxy-based phishing kit to circumvent multi-factor authentication. The cybercriminal registers new phishing domains almost daily.

The attack chain begins with document-themed email messages that link to PDF documents, redirecting the victim to a login page impersonating Microsoft’s sign-in portal – but only after demanding they complete a CAPTCHA step.

DEV-1101

Microsoft recently warns of a new email phishing kit being utilized by threat actors to send millions of emails daily. The tool, DEV-1101, was created by an emerging threat actor and can be automated and launched at scale for phishing campaigns.

Cybercriminals using this kit can circumvent multi-factor authentication (MFA) safeguards and use stolen credentials to access sensitive information on victims’ systems. They also have the capacity to spoof email addresses in order to impersonate legitimate email accounts belonging to their targets.

The attackers behind this campaign are targeting users from financial technology, lending, insurance, energy and manufacturing sectors in the US, UK and Australia. They send out phishing emails that appear to come from these target organizations and instruct recipients to log into their Microsoft accounts in order to confirm their identity.

Phishing attacks are a popular technique used by cybercriminals to obtain personal data. They typically involve sending an email link that directs recipients to a fraudulent website and asking them for sensitive information like passwords and credit card numbers.

Phishing emails can also be used to download malware onto a victim’s computer. Malvertising is another type of phishing which involves sending malicious advertisements through email messages. These advertisements often include links that direct users to sites with the potential to infect their computers with malicious code or steal personal information.

In many phishing scams, hackers attempt to obtain personal data by employing a method called session hijacking. This involves setting up a proxy server between the user and an malicious website in order to intercept their session cookies and passwords.

Though these attacks can be highly effective, it is essential to remember that phishing attempts can easily be detected and should never be relied upon to obtain access to sensitive data. Organizations should implement phishing-resistant authentication methods in order to prevent these incidents from occurring.

Microsoft warns that the availability of email phishing kit, which can be purchased or rented by criminal actors, has significantly lower the entry barrier into cybercrime. These tools reduce both cost and effort associated with launching a successful attack while contributing to industrialization in cybercriminal economies. Unfortunately, such services often come as part of phishing-as-a-service offerings which often leads to double theft: stolen credentials being sent both to the provider of such services as well as their clients.

TodayZoo

Phishing scams have evolved in recent years, as attackers employ different techniques to make it harder for victims to identify and mitigate the damage they cause. One such technique is using phishing kits which provide low-level threat actors with ready-to-use templates that can be sold at an underground forum for a one-time fee. With full language support included, cybercriminals no longer need to worry about creating their own pages.

Microsoft researchers recently identified an unusual campaign, TodayZoo, which uses bits and pieces of code from other hacker-authored phishing kits to steal passwords. This campaign began in December 2020 but has continued without much interruption ever since.

According to a blog post from the Microsoft Security Response Center, TodayZoo has been used in widespread credential phishing attacks that target multiple companies and users. The phishing kit mimics Microsoft’s email notifications such as password reset or fax/scan alerts and directs victims to landing pages with credential harvesting components that allow for entry, collection and exfiltration of their credentials.

It also employs various obfuscation and design tactics to deceive victims into disclosing their credentials. Examples include zero-point font obfuscation, which is HTML text with a zero font size in an email to make it harder for humans to detect and block phishing attempts.

Furthermore, phishing kits often consist of various components that are recycled and reused in different ways. This practice is commonplace among phishing and malware kits, where different elements of an attack are repurposed to avoid detection or enhance its overall effectiveness.

Unfortunately, it can be challenging to tell where one phishing kit ends and another begins. This poses a problem because it exposes the variety of methods cybercriminals use when employing phishing kits for malicious purposes.

Many times, these phishing kits are created by cybercriminals or purchased from PhaaS providers. This enables them to quickly and easily create new variants of phishing scams as long as they possess the necessary resources.

DanceVida

Name in lights, this is the dance floor of a modern technology-enabled household. The company has an inherent interest in their unwitting customers and boasts an impressive portfolio of software and hardware products. Notable names among them include an elite managed services team, data center with numerous accolades, IT department, mobile app store and cloud based solutions.

Adversary-in-the-Middle

Microsoft recently issued an alert warning of the rise of more sophisticated hacking techniques. These include Adversary-in-the-Middle (AiTM) phishing kits which circumvent Multi-Factor Authentication (MFA) safeguards to obtain credentials and system access.

AiTM phishing schemes employ lookalike landing pages that deploy a proxy server between users and the website they intend to visit. This server can intercept passwords and session cookies in order to gain unauthorized access to the victim’s account.

The attack begins with document-themed email messages that include links to PDF files that direct recipients to a login page impersonating Microsoft’s sign-in portal. Once on these login pages, users must complete a CAPTCHA step in order to confirm their identity.

Once a user provides their credentials and clicks “OK,” they are forwarded to an attacker’s proxy server that has two Transport Layer Security (TLS) sessions configured: one between them and the user, and another between the attacker and the target website they wish to access.

Once the attacker has access to a victim’s credentials, they use a proxy server to log in to their targeted website and send the victim to a page which bypasses MFA. This enables them to access real Microsoft 365 services as well as steal session cookies that could later be used for future bypass attempts.

According to Microsoft’s alert, DEV-1101 has been behind several of these high-volume phishing campaigns. According to Redmond, DEV-1101 has developed and supported several AiTM phishing kits which other cybercriminals can purchase or rent. This is part of the industrialization of cybercrime and lowers the entry barrier for those interested in perpetrating it.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us