Large-Scale AiTM Attack targeting enterprise users of Microsoft email services | #emailsecurity | #phishing | #ransomware


Summary

ThreatLabz has discovered a new strain of a large-scale phishing campaign, which uses adversary-in-the-middle (AiTM) techniques along with several evasion tactics. Similar AiTM phishing techniques were used in another phishing campaign described by Microsoft recently here.

In June 2022, researchers at ThreatLabz observed an increase in the use of advanced phishing kits in a large-scale campaign. Through intelligence gathered from the Zscaler cloud, we discovered several newly registered domains that are used in an active credential-stealing phishing campaign.

This campaign stands out from other commonly seen phishing attacks in several ways. It uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication. There are multiple evasion techniques used in various stages of the attack designed to bypass conventional email security and network security solutions.

The campaign is specifically designed to reach end users in enterprises that use Microsoft’s email services. Business email compromise (BEC) continues to be an ever-present threat to organizations and this campaign further highlights the need to protect against such attacks.

In this blog, we describe details of the tactics, techniques and procedures (TTPs) involved in the campaign.

Since the campaign is active at the time of blog publication, the list of indicators of compromise (IOCs) included at the end of the blog should not be considered an exhaustive list.

Key points

Corporate users of Microsoft’s email services are the main targets of this large-scale phishing campaign.

All these phishing attacks begin with an email sent to the victim with a malicious link.

The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor.

In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign.

Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the US, UK, New Zealand and Australia are targeted.

A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks.

Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems.

Numerous URL redirection methods are used to evade corporate email URL analysis solutions.

Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign.

Phishing campaign overview

Beginning in June 2022, ThreatLabz observed a sharp increase in advanced phishing attacks targeting specific industries and geographies.

We identified several newly registered domains set up by the threat actor to target Microsoft mail services’ users.

Based on our cloud data telemetry, the majority of the targeted organizations were in the FinTech, Lending, Finance, Insurance, Accounting, Energy and Federal Credit Union industries. This is not an exhaustive list of industry verticals targeted.

A majority of the targeted organizations were located in the United States, United Kingdom, New Zealand, and Australia.

After analyzing the large volume of domains used in this campaign, we identified some interesting domain name patterns which we highlight below.

Domains spoofing Federal Credit Unions

Some of the attacker-registered domains were typosquatted versions of legit Federal Credit Unions in the US.

Attacker-registered domain name

Legit Federal Credit Union domain name

crossvalleyfcv[.]org

crossvalleyfcu[.]org

triboro-fcv[.]org

triboro-fcu[.]org

cityfederalcv[.]com

cityfederalcu[.]com

portconnfcuu[.]com

portconnfcu[.]com

oufcv[.]com

oufcu[.]com

Note: Per our analysis of the original emails using the Federal Credit Union theme, we observed an interesting pattern. These emails originated from the email addresses of the chief executives of the respective Federal Credit Union organizations. This indicates that the threat actor might have compromised the corporate emails of chief executives of these organizations using this phishing attack and later used these compromised business emails to send further phishing emails as part of the same campaign.

Domains spoofing password reset theme

Some of the domain names used keywords related to “password reset” and “password expiry” reminders. This might indicate that the theme of the corresponding phishing emails was also related to password reset reminders.

expiryrequest-mailaccess[.]com

expirationrequest-passwordreminder[.]com

emailaccess-passwordnotice[.]com

emailaccess-expirynotification[.]com

It is important to note that there are several other domains involved in this active campaign, some of them are completely randomized while others do not conform to any specific pattern.

Distribution mechanism

We have limited visibility into the emails used to distribute the phishing URLs. In some cases, the malicious links were sent directly in the email body; in other cases, the link was present inside the HTML file attached to the email.

Figure 1 below shows an email which contained an HTML attachment with the malicious phishing URL embedded inside it.

Figure 1: phishing email sent to the user with HTML attachment

Figure 2 below shows the contents of the HTML attachment. It uses window.location.replace() to redirect the user to the phishing page when the HTML page is opened with the browser.

Figure 2: HTML attachment used to redirect the user to the phishing page

Figure 3 below shows an example of a phishing email in which the attacker sent the malicious link directly in the email body.

Figure 3: Malicious link present in the email body

We observed the use of a variety of URL redirection methods in a large number of cases. Instead of sending the actual phishing URL in the email, the attacker would send links that used a variety of redirection methods to load the final phishing page URL. We describe the details of some of these methods in the following section.

Abuse of legitimate web resources for redirections

Phishing sites were seen being delivered, redirected into, and hosted using numerous methods.

A common method of hosting redirection code is making use of web code editing/hosting services: the attacker is able to use those sites, meant for legitimate use by web developers, to rapidly create new code pages, paste into them a redirect code with the latest phishing site’s URL, and proceed to mail the link to the hosted redirect code to victims en masse.

These services provide flexibility to the attackers, since the contents of the redirect codes can be changed at any time. It has been observed that in the midst of a campaign, attackers will modify the code of a redirect page and update a phishing site’s URL that has been flagged as malicious, to a fresh undetected URL.

The most commonly abused service for this purpose is CodeSandbox.

Figure 4 below shows the most common redirect code hosted on CodeSandbox, utilized by the phishing site.

Figure 4: redirect code snippet on an attacker-controlled CodeSandbox instance

Figure 5 below shows an example of redirect code hosted on a similarly abused service – Glitch.

Figure 5: redirect code hosted on an attacker-controlled Glitch instance.

Many dozens, if not hundreds, of different CodeSandbox code pages were observed hosting different redirect codes to the phishing sites.

Many of those pages were authored by a network of registered CodeSandbox users, letting us see the names of the Google accounts used for their registration.

While most Google accounts we could find are anonymous throwaway accounts that are a dead end to attribution efforts, an internet search of a few account names tie some of the authors to older, more primitive phishing campaigns, and also show a history of engaging in cryptocurrency investment/recovery scams.

Another method observed for URL redirection is the abuse of Open Redirect pages hosted by Google Ads and Snapchat. Figure 6 shows more details.

Figure 6: different methods of URL redirection abusing Open Redirect pages

Browsing to these links will immediately redirect the client to the URL specified in the GET parameter highlighted in blue colour.

This method gives the attackers the benefit of being able to send emails with links pointing to these legitimate sites as the entry point, with the actual phishing sites’ addresses only appearing somewhere in the GET parameters, raising the likelihood of evading scanning of malicious URLs performed by email clients.

Fingerprinting-based evasion

This campaign utilizes a client fingerprinting process on all phishing sites that we will cover in this article. This process happens immediately upon the page being visited.

The initial page clients are served consists of JavaScript code, ripped from the FingerprintJS project, whose purpose is to collect information from the client’s browser in order to help the site determine if the person behind the browser is in fact not an unsuspecting victim, but an unwelcome probing analyst or an automated bot.

The script gathers identifying information such as the client’s operating system, screen dimensions, and timezone, and communicates its findings back to the site by WebSocket traffic. The complete list of information gathered from the client’s machine is mentioned in the Appendix at the end of the blog.

Figure 7: Client fingerprint data sent to the server over websocket

With this information received, the site arrives at a verdict whether it should continue reeling in the client, or should it get rid of it by redirecting to the Google homepage.

How exactly the site decides this is unknown since the logic is present on the server side, but it has been observed that browsers running in virtual machines are detected by examining the name of the client’s graphics driver, as exposed by the WebGL API.

By default, VirtualBox and VMware make themselves known this way, and require some masking effort in order to pass this check, for example making use of browser setting `webgl.override-unmasked-renderer` on Firefox.

In case the site does not find a reason to suspect the client, it will serve it an authentication cookie that the client-side code will proceed to save before reloading the same page, this time receiving the main phishing page by the site.

Figure 8: Upon successful fingerprint process, site returns authentication cookie __3vjQ.

Proxy-based AiTM phishing attack overview

Traditional credential phishing sites collect the user’s credentials and never complete the authentication process with the actual mail provider’s server. If the user has multi-factor authentication (MFA) enabled, then it prevents the attacker from logging into the account with only the stolen credentials.

In order to bypass multi-factor authentication, attackers can use Adversary-in-the-middle (AiTM) phishing attacks. All the attacks which we describe in this article used the AiTM phishing attack method.

AiTM phishing attacks complete the authentication process with the actual mail provider’s server (in this case – Microsoft), unlike traditional credential phishing kits. They achieve this by acting as a MiTM proxy and relaying all the communication back-and-forth between the client (victim) and the server (mail provider).

There are three main open-source AiTM phishing kits available which are widely known in the community.

Evilginx2
Muraena
Modlishka

Based on our research, we believe that the threat actor in this case used a custom phishing kit. In the following section, we highlight some of the unique attributes we identified in the client-server communication which differs from the common off-the-shelf AiTM phishing kits.

We will not cover the technical details of how the AiTM phishing kits work in general since they are widely documented in the public domain such as here.

Unique attributes of the phishing kit

All advanced AiTM kits have in common that they operate as a proxy between the victim and the target site (Microsoft servers in our case).

The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works.

We observed several ways in which the phishing kit’s operation is distinguishable from the three open-source kits:

HTML parsing

It’s apparent that the phishing kit’s backend is making use of an HTML parser library, such as Beautiful Soup.

We can deduce this by comparing the messy, unindented HTML code arriving from Microsoft:

And the same HTML code as relayed by the phishing kit, tidied up and properly indented:

It is likely that the phishing kit feeds the HTML it reads from the Microsoft server into an HTML parser, which creates a programmatic representation of the entire HTML tree. This allows a programmer to conveniently manipulate the different elements by interacting with the objects that represent them.

Once the manipulation is done, the library produces an HTML output of the tree with all changes applied. This often results in a tidy output, as we see above.

The three open-source kits don’t make use of HTML parsers, instead operating on the received HTML data just by using basic string operations.

Domain translation

One of the things the kits need to take care of is replacing all the links to the Microsoft domains with equivalent links to the phishing domain, so that the victim remains communicating with the phishing site throughout the phishing session.

For example, Figure 9 below shows a side-by-side comparison of an HTML snippet. On the left is the original code as served by Microsoft, and on the right is the same code after it has undergone translation, on its way to be relayed to the victim.

Figure 9: HTML snippets before and after translation

The original subdomain (green), the original domain name (blue, minus the TLD), and a unique generated ID (pink) are joined together with dashes and become a subdomain under the phishing site’s domain (orange).

This translation pattern, namely the 8 hexadecimal digits ID added to links, appears unique to this phishing kit, and is not used by the three open-source kits.

However, there’s a case where this translation is not taking place.

The Office 365 login page, as part of a feature called “Azure Active Directory Seamless Single Sign-On”, communicates with Microsoft server `autologon.microsoftazuread-sso.com` in order to load company-specific scripts to offer this feature to the authenticating client.

The references to this server can be seen in this snippet of JavaScript, taken from the main Office 365 login page:

For one reason or another, the phishing kit does not perform translation on the links to `autologon.microsoftazuread-sso.com` shown above, and they make their way to the victims intact.

This results in the victim’s browser performing HTTP requests like the following, while loading the login page:

Effectively “leaking” the phishing site’s address as the referring site inside a request to the Microsoft server.

This opens up the possibility of detecting the kit in the act, if a victim’s HTTP traffic is monitored by network security solutions capable of deep packet inspection.

Post-compromise activity

To investigate the post-compromise activity, we set up an Azure AD instance in our lab with a dummy account and a domain controlled by us. We visited one of the live phishing URLs, supplied dummy account credentials, and completed the multi-factor authentication process.

In one case, we observed that the attacker logged into our account, 8 minutes after we sent our credentials to the attacker’s server. It is important to note that the attacker logged into the account from another IP address (different from the phishing domain’s IP address). Based on the delay of 8 minutes in post-compromise activity, we suspect that the threat actor is manually logging into the account.

Figure 10 below shows audit / sign-in logs from our lab’s Azure AD highlighting the post-compromise activity.

Figure 10: Azure AD sign-in logs highlighting post-compromise activity

At the time of our investigation, we did not see any specific post-compromise activity performed by the threat actor besides merely logging into the account, reading emails and checking the user’s profile information.

Zscaler’s detection status

Zscaler’s multilayered cloud security platform detects indicators at various levels, as seen here:

HTML.Phish.Microsoft

Conclusion

Business email compromise (BEC) continues to be one of the top threats which organizations need to protect against. As described in this blog, the threat actors are constantly updating their tactics, techniques and procedures (TTPs) to bypass various security measures.

Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions.

As an extra precaution, users should not open attachments or click on links in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials.

The Zscaler ThreatLabz team will continue to monitor this active campaign, as well as others, to help keep our customers safe.

Indicators of compromise

# Since the campaign is active at time of the publication and this threat actor is relentless in creating new domains almost every day, the IOCs below should not be considered as an exhaustive list.

Phishing domains

0mx1lntastantretatlanpassword[.]com

0mxus3rauthkeepsame[.]com

10311landex[.]com

206pms[.]com

2nbskull[.]com

333-77-6578-929-000[.]info

34533teams[.]xyz

365jhsgbxsncnsuye67[.]live

365maineventco[.]com

365voicemessage[.]com

3dfzlrtsiwfibvfyql96zt[.]live

455b3105mssvr[.]ml

5d4ba5ca-d814-4049-8ea3-af505f6e1e01[.]info

5thcolumn[.]accountant

7dmjmg20p8mty1nzexnjgzoc40ljeumty1nzexnzqxny4yng[.]co

7dmjmg20p8mty1ody5mjm4ms4xms4x[.]live

aaaaclub[.]net

aaaaoffice635u[.]com

abg-serviices[.]com

accionabdjv[.]ca

accvcam[.]com

acehomproducts[.]com

acqureioil[.]com

acuciondi[.]com

adlokali[.]com

adobe-06195[.]com

adobe-20648[.]com

adobe-54836[.]com

adobe-69451[.]com

adobe-91506[.]com

agoaci[.]click

agre-ae[.]com

agronne[.]com

aibels[.]com

aibie[.]me

aimedical[.]click

ainorsigns[.]co

ainswat[.]com

aismare[.]us

alamarcosmetics[.]xyz

alamoudiexchange-online[.]com

alamoudiexchang-online[.]com

alexmakanaki[.]com

almflrm[.]com

alnapeckagingco[.]com

altoma-report[.]com

amat-us[.]com

ambleasia[.]co

aminocx[.]xyz

am-jlll[.]com

appsinfo[.]xyz

aqkagjmyzg0otu5ltaznmitndjjms04zwrhlwnknd[.]us

aqriko[.]com

aquitainewine[.]click

araedt[.]com

aritcac[.]com

ascisoft[.]com

asdfghgfdsa[.]com

asianwaterjet[.]com

asn4[.]xyz

assetprovidingsupport[.]xyz

assoulne[.]com

atg1[.]xyz

atg2[.]xyz

audlgreenville[.]com

aufdreworld[.]com

auhrticezemkrt[.]com

auth17[.]com

autsolut[.]net

avantscapital[.]com

avis-corporation[.]com

azurenetworksauthx[.]us

baincoorp[.]com

bannesco[.]com

basinposal[.]com

bat-machinebouw[.]click

bbld[.]xyz

bckoffice[.]com

bdudhurujrhrsvdgdg[.]com

behringermails[.]com

benchrnark[.]com

bergspyderus[.]click

berightpw[.]com

bevcapmanagements[.]com

bewine[.]click

biibbeo[.]com

biofrontera-online[.]com

blackmorcpa[.]co

blockhoury[.]com

bluestoneqrp[.]com

bluewaterlogisticsgroups[.]com

boghdetgtahstak[.]com

bollinger-news[.]com

braagenh[.]com

brabinfo[.]xyz

bragmutual[.]org

brandisaw[.]pics

breadlaof[.]com

brendghsgsddczx[.]com

brentags[.]com

bryologyx[.]click

btfufu[.]com

btxinc[.]click

buildintegrated[.]click

businessresourceshq[.]com

buyhhcwholesale[.]com

c4xnjf[.]com

caassoclates[.]com

calling-phone[.]xyz

calspass[.]com

capitaln[.]org

casgravels[.]com

cds-ddd[.]com

celticvc[.]org

centament[.]com

chanpionpromotion[.]com

chemtge[.]com

chismstrategiies[.]com

cidkslhtrifmentinimtimesoffdots[.]xyz

cilakemillswius[.]click

cinquefonti[.]click

ci-resuorces[.]com

cityfederalcv[.]com

cityofchlcago[.]org

clearloginmailbox[.]com

clemenhagen[.]com

cloud-distributions[.]com

cnptrd[.]com

coastllnecapital[.]com

cohorted[.]click

colonyretirement[.]org

comlivess[.]com

commtraclfloors[.]com

comoholdingusa[.]com

comoutlooks[.]com

congregationanshaitorah[.]com

corned[.]co

costaenergyllc-report[.]com

cpipaneiis[.]com

craateoronlineecergynewnote[.]xyz

craigsintl[.]com

crossvalleyfcv[.]org

crswell[.]com

cscsteelsusa[.]com

cullensolicitors[.]com

cvcolebrook[.]click

damerche[.]com

dastoffidhtrifmentinimtimesoffdots[.]xyz

dastoffkmentinimtimesoffdoctas[.]ninja

davisellen[.]com

dbfjkndkhvsjfdyjdbdih[.]com

dechanghitach[.]com

dechocoladefabriek[.]click

dedrone-online[.]com

deseuwhioaks[.]xyz

destrooper-olivier[.]click

dextermags[.]com

dfrfeedback7w[.]com

difioreconstructions[.]net

dirtymoneydenger[.]xyz

discoverlewis[.]co

disgros[.]com

djtransportatlon[.]com

dkdnspmeitlo[.]com

dkfkofbnfiufbihfiuf[.]com

dlago[.]co

dlfcgzgpgwrdfjtkszrbzpzpwpndkd[.]com

dnsnamess[.]com

documentsharepoint[.]com

douglassedist[.]com

downs-energys[.]com

dphinc[.]org

drdrgroup[.]org

drussellccigroup[.]com

dse01[.]com

dsjusfd-lth[.]com

durascrete[.]com

dustaslde[.]com

dyndjdbhdjakshd[.]com

dynnata[.]com

ebclh[.]org

efcotac[.]com

efscystems[.]com

ehdd[.]net

ehdgffdsfd-bdvdbfdyue34dsscdssd[.]me

eiiisdone[.]com

ejidoater[.]com

elecorporattion[.]com

electronictransmission[.]net

elistsair[.]com

emailaccess-expirynotification[.]com

emailaccess-passwordnotice[.]com

email-verification-access-password-notificafions[.]com

emediartslab[.]com

encorebrard[.]com

encores-bz[.]com

endoselec[.]com

envizai[.]com

eriecommunltyfcu[.]org

etacenter[.]com

etiselat[.]com

etxfabs[.]com

eu-biuestarinc[.]com

excelavgroups[.]com

excelville[.]com

expirationrequest-passwordreminder[.]com

expiryrequest-mailaccess[.]com

exyta[.]net

fabirtek[.]com

fabrinet-globals[.]com

fabrinets[.]com

fahdsuk[.]com

faircapitallc[.]com

fcmilndia[.]com

fgtsolutions[.]co

filkjooor[.]com

finalmanstandlap[.]com

fiorettl[.]com

fiplodjfjfjnxjisski[.]com

firstablenefcu[.]org

flakestld[.]us

flowerandmore[.]biz

fmh-corp[.]org

foodjet[.]click

forbedentallab[.]com

fr-ggori[.]xyz

friendsofc-online[.]com

frontofflcce[.]com

fulier[.]ca

galatachemicals[.]net

garefl[.]com

gassentec[.]com

gatewaytubular[.]com

generalstores-be[.]click

genevainn[.]org

gennfed[.]com

ghllamak[.]com

ghvgghjjhbhbhb[.]com

gianjet[.]com

gimc-cocktail[.]com

girvlnassoc[.]net

goarnstrong[.]com

graycardinal[.]ca

greatwauecom[.]com

greenstalkholding[.]com

gsokoauyilpoi[.]com

gspwii[.]com

guardanthealths[.]com

hafe1e[.]com

haglaegis[.]com

halalog[.]com

halesjewelers[.]org

harvestclhurchba[.]com

hasseco[.]co

hawaiianpr0p[.]com

hcisystem[.]net

healths-law[.]com

heibraunievey[.]com

hgjvdfvfh[.]com

hhppny[.]com

hidefsurveying[.]info

hjdlsksfhhn[.]com

hokualakavai[.]com

holder-fcl[.]com

horizonholdlngs[.]com

horstandgrabenwealth[.]xyz

hsshd729s[.]com

huguhsings[.]com

iaunchfinance[.]com

imperialprecision[.]org

inboxmainchil[.]com

infokeysinc-mlcrosoftpasswdd[.]com

infomicrosoft[.]net

innfinancial[.]net

insaertab[.]com

instagzone[.]com

intelliclicksoftware-online[.]software

intrepidpotashs[.]com

ireataeoronlineecergynewnote[.]xyz

isccontractings[.]com

ispschools[.]co

itsonlinewiththefileofficeofficial[.]xyz

iukygt98yu09i8iuy908iuy908iuytrgfh67[.]com

jcb[.]cx

jsptsenergy[.]com

jukiyq[.]com

junnioehsnsbh7[.]me

kathisp[.]com

kbnoffice[.]com

keep356fgfhgutryt[.]com

keepsettingsinfoanon[.]com

kickte[.]com

kiymanfinancial[.]com

kj4brvghvjk[.]com

kleinfalder[.]com

klimateshield[.]net

knyjbio[.]com

koc-tr[.]com

kreagermitchell[.]click

ktorresrray[.]com

kupolae[.]com

kushyedhfman[.]com

lakrvsm[.]com

lanckstele[.]com

lang-cq[.]com

leedseng[.]com

levaelld[.]com

lfiliumination[.]com

lifetechrned[.]com

litechcking[.]xyz

lityrest[.]com

liwsupply[.]com

lkhgfghccghgh366555[.]com

lmscorp-us[.]com

lnstream[.]net

lntrecash[.]com

logindri-veshare[.]live

loginmicrossft[.]co

logsettingsforlog[.]com

lointree[.]com

longetivity[.]co.uk

m0367d6378b355472d879736b7350[.]live

m0autthxxd47[.]com

mabdhufbwkshudgvhu[.]com

madasmaneudonedeo[.]com

mailpasswordexpiry-reminder[.]com

mailscancache[.]com

mailstoragenoticeonline[.]com

makairalandscaqe[.]com

managementlocks[.]com

mandnsjeyrusmskbdv[.]com

mansoolsnsjwuajshd[.]com

mapdatew[.]com

marshwestin[.]com

marynellmalonyelawfirm[.]com

mashcapyusu[.]org

mashroecy[.]com

maxismstaffing[.]com

mcrosftpasswd-activity[.]com

melograno[.]click

meqal-secure[.]com

merrakii[.]com

messageallianceclue[.]com

mhkspartners[.]com

miccrosoftttoficee365[.]com

miccrrosoftsecure[.]com

microtki[.]com

mindfulbirthnj[.]com

mirevabalika[.]xyz

mlcc-asminternational[.]us

mllklabor[.]org

mlly[.]xyz

moralibbx[.]xyz

morent[.]co

moreoff376[.]com

morrisonheshfield[.]com

mrecateoronlineecergynewnote[.]xyz

mscenter-exchangeinfo[.]ga

mscenter-exchangeprotect[.]ga

mscenter-exchangeprotect[.]ml

mscenter-protectexchange[.]ga

mscenter-protectexchange[.]ml

mscenters-exchangeprotects[.]ga

mscenters-exchangeprotects[.]ml

mscomplaince-exchangemx[.]ga

mscomplaince-exchangemx[.]ml

mservcfrduud[.]com

mslawtc[.]com

mso-10[.]com

mso-4[.]com

mso-6[.]com

msokool[.]com

msonline[.]club

msprotect-exchangemx[.]cf

msprotect-exchangemx[.]ml

mssoleop[.]com

mtfbs[.]click

mxfdsam3new[.]com

mypage-corporate[.]com

myplos[.]com

nailbur[.]com

nanbhx[.]com

nce-sg[.]com

netcapittal[.]com

newmanregencytransmission[.]com

newmansimpsons[.]com

newrecalluser[.]com

newttech-sys[.]com

nfnoffice[.]com

nkccpa[.]com

nlmeks[.]com

nmed-lab[.]com

nordicstrustee[.]com

northvolts[.]com

ntgent-be[.]click

nutritionadvisors[.]org

ny-vee[.]co

oauth7[.]com

ofccuu[.]com

officefilest[.]com

officeoutteamworkstation[.]com

offilincom[.]com

offjkhgvc[.]com

offwmi[.]com

oniline-mics[.]com

onlineoffce[.]com

onlinservices[.]club

onsettingsdav[.]com

ophoustons[.]com

oreqonaero[.]com

os1connect[.]com

oslappy[.]com

oufcv[.]com

ourin[.]xyz

outlookfilesauthentication[.]com

ovfcv[.]com

owlautoai[.]com

owlwarrantyai[.]com

oxtelidi[.]com

paccommtg[.]com

paceqallery[.]com

paksolvtionsusa[.]com

palcogenerator[.]com

pars-org[.]com

passportinc-onlinecom[.]com

password00verification385518485[.]com

password0verify6767971208[.]com

pathwavscu[.]com

patterrnenergy[.]com

pbiapp[.]com

pelladrect[.]com

pepslco[.]com

perfectsmile-dcntal[.]com

perkinlawtx[.]com

permobill[.]com

pflzer[.]co

pheniexnt[.]com

pilarcu[.]com

playboyhouse[.]xyz

playersoft[.]co

poetape[.]com

poiu767678i89p98o7o98po9p7p67p7op654re[.]com

portalquery-expirynotice[.]com

portalresolve-reminder[.]com

portconnfcuu[.]com

povndmgt[.]com

pqkkwkkskdjqwpokhjqoqpqpakqpqiwqqpqowqpwooq[.]com

preferred-properties[.]info

pressin[.]xyz

pretressservices[.]com

priaso[.]com

primwests[.]com

progressim[.]click

project-scop[.]com

project-scop[.]live

psscontractor[.]com

pyxislogistics[.]click

qsummary[.]online

quintadapraiaverde[.]com

qwlckrate[.]com

r4services[.]org

radsotek[.]com

railsone-usa[.]com

ramsmtgcaps[.]com

ranndlog[.]com

raptrotech[.]com

rchrsc[.]com

reddinc[.]org

registration-forms[.]us

reidterrasolution[.]com

res-report[.]us

riuyimachine[.]com

rmcdmcc[.]com

rnechcollc[.]com

rodlncoinc[.]com

ructioninc[.]com

sablepw[.]top

safelinks[.]online

saicorp[.]co

salesforcie[.]com

sancoent[.]org

sanleandroford[.]click

sbvdjhsadbvjfrkuvfbhdhd[.]com

scbhubonc[.]co

schmidoffice[.]click

scotchdale[.]click

secrelogrussmake[.]com

sembmarine-online[.]com

seneca-report[.]com

serviceproviderrs[.]com

servicewebofficeindex361loginemail[.]online

settings0365[.]com

shaftdesign[.]click

shapshap22[.]com

share-access-notifications[.]com

sharepoint-access-notifications[.]com

shdjfbfjfskjdfyfgngjgjg[.]com

shelils[.]com

shenoeup[.]com

siemens-energv[.]com

siktadmog[.]com

single-temps[.]com

situationintarective[.]com

sixspartnerrs[.]com

sjsjsjsjsjsjsjsssjsj[.]club

slakdkslpeop[.]com

somaloglc[.]org

spcc-toledo[.]net

sproquela[.]com

sroauth[.]xyz

ssosignons356[.]com

stablematerials[.]com

stanepp[.]org

steelwrists[.]com

stefany1990[.]click

stenfordedu[.]com

stocksfroozen[.]xyz

stonecastlepartnerrs[.]com

styguhidsyhuidsyzuhids7husd78xds7zx8ds7zx89jids[.]com

subsiquent-protection[.]xyz

substentialsecurepron[.]xyz

sumiy0shi[.]com

swesreport[.]com

sxhygdhsg[.]co

synergipartnars[.]com

sysvamps[.]com

tahoebiltmore[.]org

tankequipments[.]com

temcopi[.]com

teremilazer[.]com

terminalvfest[.]co.uk

terracon-report[.]com

terryappraisalsgroup[.]com

texantitle-report[.]com

theeveristco[.]com

thejyygroup[.]com

themaplob[.]com

thereportbot[.]com

tigoenergym1crosoft-passwd[.]com

tmasites[.]co.uk

tmhfcv[.]org

tonic-collective[.]live

triboro-fcv[.]org

tri-iinc[.]net

truebjj[.]com

tuemereliaz[.]com

ud8sa[.]com

ulakhaberlesme-online[.]com

unidinex[.]com

uniltedrental[.]com

unionblz[.]org

unltedrental[.]com

urbantrustscapital[.]com

urw-us[.]com

ushinsk[.]com

uswurskland[.]com

utpostra[.]com

uueb837en[.]com

uzomafoundation[.]com

valentern[.]com

vectaenvironml[.]xyz

venovoice[.]online

ventiott[.]com

vesonn[.]com

vicetelejhgvfhj[.]com

viewsprotech[.]com

villatelperu[.]com

vistabank-report[.]com

vitox[.]click

vm-buscall[.]club

vmonlineservice[.]xyz

vmsendermails[.]xyz

vm-service[.]xyz

vodafonex[.]online

von-lincs[.]shop

vrmarath0n[.]com

vurijuireiujmfdusijeruijmfudisjdsaim[.]com

waunacvorg[.]com

webcore2[.]com

webcore3[.]com

webmailservice[.]site

websecuritynotice[.]com

weldongranger[.]com

wellingtons-partners[.]com

westmariinfund[.]org

whoerkemshdh[.]com

wiliampenn[.]com

windssorservices[.]com

wis3po-1k60i5bn-jwza24[.]com

wittial[.]com

wonjiinco[.]com

workenterservice[.]com

worldexchangechbe[.]com

xcduoyuuwa[.]com

xlikk[.]com

yhjfdhgjdhunjdyuidesuidsuihjfdjkies[.]com

yickhoesgroup[.]com

yolmathy[.]com

zhongt0ng[.]org

Codesandbox URLs

clxbcj.codesandbox[.]io

c0poft.codesandbox[.]io

ekwg9l.codesandbox[.]io

epovr9.codesandbox[.]io

er849r.codesandbox[.]io

fnqynt.codesandbox[.]io

hjfsty.codesandbox[.]io

iz8ieq.codesandbox[.]io

jkvpu5.codesandbox[.]io

j3buwf.codesandbox[.]io

kg4pxm.codesandbox[.]io

k54431.codesandbox[.]io

k8zngr.codesandbox[.]io

lq1nq3.codesandbox[.]io

mvis9x.codesandbox[.]io

on8pb2.codesandbox[.]io

pc292i.codesandbox[.]io

pjoumm.codesandbox[.]io

quzqvm.codesandbox[.]io

rn8hs6.codesandbox[.]io

sjtug9.codesandbox[.]io

tz29yo.codesandbox[.]io

u2xyhg.codesandbox[.]io

xdtmw5.codesandbox[.]io

y7dp2d.codesandbox[.]io

zwec9y.codesandbox[.]io

286755.codesandbox[.]io

3fytwq.codesandbox[.]io

34ovuk.codesandbox[.]io

62zy6b.codesandbox[.]io

660o5v.codesandbox[.]io

7o7ttl.codesandbox[.]io

77du0t.codesandbox[.]io

8nk0ds.codesandbox[.]io

9xybgc.codesandbox[.]io

Glitch URLs

bald-savory-whippoorwill.glitch[.]me

curvy-spiritual-dirt.glitch[.]me

deep-blossom-dichondra.glitch[.]me

jolly-hospitable-hygienic.glitch[.]me

prism-principled-eucalyptus.glitch[.]me

showy-clammy-riddle.glitch[.]me

tabby-pattern-curiosity.glitch[.]me

Appendix

Client fingerprint collected

{u’data’: {u’appCodeName’: <string>,
u’appName’: <string>,
u’audioCodecs’: {u’aac’: <string>,
u’m4a’: <string>,
u’mp3′: <string>,
u’ogg’: <string>,
u’wav’: <string>},
u’automation’: [<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>],
u’battery’: <boolean>,
u’cookieEnabled’: <boolean>,
u’debugTool’: <boolean>,
u’devtools’: <boolean>,
u’document’: {u’characterSet’: <string>,
u’charset’: <string>,
u’compatMode’: <string>,
u’contentType’: <string>,
u’designMode’: <string>,
u’hidden’: <boolean>,
u’inputEncoding’: <string>,
u’isConnected’: <boolean>,
u’readyState’: <string>,
u’referrer’: <string>,
u’title’: <string>,
u’visibilityState’: <string>},
u’etsl’: <integer>,
u’hardwareConcurrency’: <integer>,
u’hasChrome’: <boolean>,
u’javaEnabled’: <boolean>,
u’language’: <string>,
u’languages’: [<string>, <string>],
u’mediaSession’: <boolean>,
u’mimeTypes’: [<string>, <string>],
u’multimediaDevices’: {u’micros’: <integer>,
u’speakers’: <integer>,
u’webcams’: <integer>},
u’permissions’: {u’accelerometer’: <string>,
u’ambient-light-sensor’: <string>,
u’ambient_light_sensor’: <string>,
u’background-fetch’: <string>,
u’background-sync’: <string>,
u’background_fetch’: <string>,
u’background_sync’: <string>,
u’bluetooth’: <string>,
u’camera’: <string>,
u’clipboard-write’: <string>,
u’clipboard_write’: <string>,
u’device-info’: <string>,
u’device_info’: <string>,
u’display-capture’: <string>,
u’display_capture’: <string>,
u’geolocation’: <string>,
u’gyroscope’: <string>,
u’magnetometer’: <string>,
u’microphone’: <string>,
u’midi’: <string>,
u’nfc’: <string>,
u’notifications’: <string>,
u’persistent-storage’: <string>,
u’persistent_storage’: <string>,
u’push’: <string>,
u’speaker-selection’: <string>,
u’speaker_selection’: <string>},
u’platform’: <string>,
u’plugins’: [<string>,
<string>,
<string>,
<string>,
<string>],
u’referrer’: <string>,
u’screen’: {u’cHeight’: <integer>,
u’cWidth’: <integer>,
u’orientation’: <string>,
u’sAvailHeight’: <integer>,
u’sAvailWidth’: <integer>,
u’sColorDepth’: <integer>,
u’sHeight’: <integer>,
u’sPixelDepth’: <integer>,
u’sWidth’: <integer>,
u’wDevicePixelRatio’: <integer>,
u’wInnerHeight’: <integer>,
u’wInnerWidth’: <integer>,
u’wOuterHeight’: <integer>,
u’wOuterWidth’: <integer>,
u’wPageXOffset’: <integer>,
u’wPageYOffset’: <integer>,
u’wScreenX’: <integer>},
u’serviceWorker’: <boolean>,
u’timezone’: <string>,
u’userAgent’: <string>,
u’vendor’: <string>,
u’videoCodecs’: {u’h264′: <string>,
u’ogg’: <string>,
u’webm’: <string>},
u’visitorId’: <string>,
u’webRTC’: <boolean>,
u’webXR’: <boolean>,
u’webgl’: <string>},
u’ftype’: <string>}

*** This is a Security Bloggers Network syndicated blog from Blog Category Feed authored by Sudeep Singh. Read the original post at: https://www.zscaler.com/blogs/security-research/large-scale-aitm-attack-targeting-enterprise-users-microsoft-email-services



Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published.

+ sixty = seventy