In the case that a validated organization does not have a custom branded tenant page, the phishing kit is designed to utilize the default Office 365 background image: This combines to create a semi-targeted and rather convincing credential harvesting page tailored to the user’s organization. In a similar fashion, the background image is generated by running the phished user account against /api/back.php.
In the case of the particular phishing campaign, the images appear to be dynamically inserted into the phishing landing page via the following the user is first validated via what would appear to be the valid#.txt files, and then a link containing the company’s logo image is generated and inserted into the phishing page via the following: When configuring such options as the banner logo, a unique link is generated that appears similar to the following:
(Links to these image files are also hard-coded into the HTML source code for the tenant login page.) Whenever a user is successfully redirected to a tenant login page, calls for the background and banner logo are performed via specific HTTP GET requests, and can be downloaded or scraped by anyone who provides a valid email address and is redirected to the tenant page.
When configuring Office 365, an organization has the option to set a background logo and background image for the specific tenant’s login page. When logging into Office 365 from a primary 365 login address (i.e., ), upon submitting a valid email address for which a branded tenant page is available, the user’s login is redirected to the corresponding tenant login page for the organization. This put a dent in the initial speculation that the phishing emails were highly targeted, but led analysts to discover a seemingly new tactic in use by the attackers.
However, each text file contains lists of thousands of validated email addresses, of which the email addresses of the phished users discovered by MDR were included.įurther examination of the domains included in the validated email addresses points to a phishing campaign at least initially targeting a spectrum of industry verticals, including financial, insurance, medical, telecom, and energy. The PHP files involved revealed no useful information other than the naming convention, which seems to indicate that they are used to run a check of an email address. On July 17, 2019, the number of chekeml#.php and valid#.txt file pairs increased from 10 to 20. There, we identified a listing of PHP files and corresponding text files in corresponding and ascending order appended with digits 1 through 10 (e.g., chekeml#.php and valid#.txt, where # is a number between 1 and 10). Rapid7 MDR analysts identified calls to the domain xeroxprofessionalsbusinessvip during the phishing routine, which appeared to run a check of the targeted user against a predetermined list, leading to further examination of the attacker’s infrastructure. However, the login page in this instance, while being hosted on legitimate Microsoft infrastructure (using the and azurewebsitesnet domains, which is not uncommon in phishing campaigns as of late), bore a background image and banner logo matching those of the target organization’s Office 365 tenant login page (not displayed here due to confidentiality concerns).
Typical phishing attacks attempting to gather credentials from Microsoft Office 365 users utilize fake “login” pages bearing prototypical Office 365 images and logos (often pulled directly from Microsoft hosting). Upon investigation into what looked to be a rather normal phishing attempt, the attack quickly appeared to be very targeted. The phishing emails that led to the initial investigation appeared as follows: In mid-July 2019, Rapid7’s MDR service responded to a phishing attack against several users in a customer environment. This blog post was co-authored by Lonnie Best and Andrew Christian. In this blog post, Rapid7’s Managed Detection and Response (MDR) services team outlines a unique phishing campaign that utilizes a novel method of scraping organizations’ branded Microsoft 365 tenant login pages to produce highly convincing credential harvesting pages.