A few weeks ago one of Mitiga’s employees received an email phishing for credentials. Instead of just laughing it off, our team decided to use their lunch breaks to analyze it. What we found indicates a sophisticated phishing platform that uses AWS and Oracle infrastructure to phish Office 365 email accounts.
This particular attack begins with the victim receiving a phishing email sent from a legitimate, but compromised, Office 365 email account. This email asks the targeted user to click a link for a voice mail message.
Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a compromised website belonging to a genuine organization. Our team identified over 40 websites belonging to SMBs that were compromised by the associated threat actors.
Ultimately, the victim ends-up on a fake and malicious Office 365 login page hosted on Oracle Cloud infrastructure. In some variations of these attacks, we also observed Office 365 login pages hosted on AWS S3 buckets.
Once the victim entered their credentials, they were exfiltrated to a compromised but legitimate website.
It should go without saying that these compromised Office 365 credentials may be used as entry vectors for deeper access into the victim organization’s network, or used to conduct a Business Email Compromise (BEC) attack.
Despite the campaign’s relatively trivial target (Office 365 credentials), it is actually quite sophisticated in several aspects:
First, the threat actors use a vast “network” of over 40 compromised websites as part of their infrastructure proxy chain.
Second, the threat actors use AWS load balancers as proxies, and Oracle Cloud resources for hosting the Office 365 login pages. In some cases we observed them hosted on AWS S3 buckets whose names imitate Zoom invitations. We believe the AWS and Oracle infrastructure is controlled and operated directly by the threat actors — who leveraged these freely available services for their malicious intentions.
Third, the threat actors sent the phishing emails from legitimate compromised email accounts.
Our team also found several interesting strings, comments, and function names that are possible clues hinting at the attacker’s origin. They were found while researching the HTML infrastructure deployed on the Office 365 login pages. We would like to stress that all of these may be false flags deployed by the threat actors to misguide security researchers. Nonetheless, we found:
2. Older HTML pages versions deployed as early as April 2020, had references to “Kolom” (Column), “Lagiya” (Again), “Kirim” (Send).
There are several indications that lead us to believe that the threat actors received the phishing infrastructure from a 3rd party — as a Phishing-as-a-Platform solution, so-to-speak:
For the record, we found no evidence affiliating any of the findings above with a known cybercrime group.
During our investigation, we discovered several email addresses that received emails originating from the malicious infrastructure. These email addresses belong to small and medium sized businesses, as well as major financial institutions in the US and Australia. The attackers targeted mostly C-level executives in these organizations.
We have no indication that the phishing attempts targeting these email addresses were indeed successful, and that their credentials were in fact stolen. However, at least some email addresses were indeed compromised by the threat actor — the ones that were used to send the malicious emails.
Due to the relatively sophisticated nature of this phishing campaign, we recommend checking whether any credentials were stolen.