Threat actors are leveraging top tier cloud apps to host phishing baits. Netskope Threat Labs has identified an ongoing O365 phishing campaign hosted in Google App Engine with the credential harvester mostly hosted in Azure App Service. This phishing campaign typically targets O365 users via phishing emails with a direct link or attachment.
The campaign started in late June 2020 and is still active today. Based on similarities in the phishing pages, we believe the same threat actor is responsible for generating more than 100 phishing pages and continues to add more daily. These phishing pages and attack elements were hosted in different App Engine and Azure websites. At the time of writing, more than 60% of the URLs we observed were active and not detected or blocked by security scanning services in popular browsers like Chrome and Firefox.
Our earlier posts Phishing in the public cloud: You’ve been served and Amazon themed Phish hosted in Azure Sites detailed phishing attacks that used Azure Websites to serve up parts of the attack. This ongoing campaign indicates that threat actors are continuing to use cloud services to launch phishing attacks at scale from widely used cloud services, making it harder for users to recognize and vendors to detect, block, or take down.
This blog post details our analysis of this campaign and provides recommendations to help protect you and your organization from falling victim to similar phishing campaigns.
Appspot.com – Phishing baits
Google App Engine is a Google Cloud Platform (GCP) service for developing and hosting web applications. App Engine allows you to serve SSL (HTTPS) traffic through your appspot.com domain, https://<app>.r.appspot.com. Users tend to place trust in websites that are hosted by top-tier vendors like Google. Threat actors are exploiting this trust by hosting phishing baits in Google services as shown in Figure 1.
Analysis of the phishing campaign
The attack starts with a bitly link shortener link, https://bitly[.]com/33nMLkZ, generally distributed via phishing emails that redirect to https://o365apps[.]oa.r.appspot.com as shown in Figure 2.
When visiting the bait, the victim is presented with a phished page hosted in appspot.com to enter the credentials as shown in Figure 3.
Upon entering the email and password, the victim is presented with a fake message that the account and password are incorrect as shown in Figure 4.
The victim’s credentials are then sent to the page, ‘handler.php’ hosted in july-28[.].azurewebsites[.]net as shown in Figure 5.
The packet capture illustrating this credential theft action is shown in Figure 6.
Phishing campaign
Using NSIQ, Netskope’s in-house threat intelligence hub, we were able to identify multiple O365-themed phishing pages using appspot.com. Starting in late June, we observed 110 unique bait URLs and 72 credential hosting URLs related to this campaign. We identified that the threat actor tried using several domains to host the credentials as shown in Figure 7.
The above figure clearly shows that the threat actor has mostly used Azure App Service to host the credential harvester at azurewebistes.net. It appears the attacker tried out multiple different options to serve the credential harvester and chose to use Azure App Service on an ongoing basis, likely because of its ease of use and Microsoft-issued SSL certs. That we continue to see new subdomains appear daily on both Azure App Service and Google App engine indicates that the attacker is having success on both of these platforms.
Conclusion
This post described a phishing campaign that used appspot.com and azurewebsites.net for hosting the phishing baits and attack elements. We would recommend users to not enter their credentials from unknown websites and hyperlinks even if the website is from a trusted domain. Users can recognize a phishing site based on the domain, which indicates that it is in App Engine appspot.com, and not an official Microsoft website. Enterprises should educate their users to recognize AWS, Azure, and GCP object store URLs, so they can discern phishing sites from official sites. Netskope reported the phishing sites to Google and Microsoft Security teams on August 10, 2020.
IOCs
p3lll0plprd.el.r.appspot.com
xxddfete.nw.r.appspot.com
eyettrttr.wn.r.appspot.com
login-microsoft-office365.df.r.appspot.com
sodium-ceremony-277916.dt.r.appspot.com
vp35yvpvyup.el.r.appspot.com
officeeev2.ew.r.appspot.com
tlook-off365-signin.el.r.appspot.com
microsoft-account-security.oa.r.appspot.com
userpodium.et.r.appspot.com
golden-pointer-281517.nw.r.appspot.com
civic-depth-281113.oa.r.appspot.com
user7770001255.el.r.appspot.com
vbf9iuherwiu.wl.r.appspot.com
userc9fo9ffzo.el.r.appspot.com
account-security-6581a.el.r.appspot.com
esoteric-mote-284316.uc.r.appspot.com
officecloudapps.ey.r.appspot.com
outlook-office365-signin.el.r.appspot.com
e710z0ear.du.r.appspot.com
user7383493930.et.r.appspot.com
xh36954689734987348098.el.r.appspot.com
cp0c7pc.du.r.appspot.com
ppypcc11crp.appspot.com
user67509874097802.el.r.appspot.com
sharepoint-secure-online.df.r.appspot.com
key-acronym-281808.et.r.appspot.com
keen-sight-280309.nw.r.appspot.com
login-microsoft-online-secure.nw.r.appspot.com
login-microsoft-outlook.el.r.appspot.com
x394uirjomokf30.wm.r.appspot.com
d48dkduy4mnnxh.du.r.appspot.com
riqri733r.ts.r.appspot.com
microsoftaccountsecurityportal.wl.r.appspot.com
mlcrosoft-0nedrive-portal.el.r.appspot.com
secure-login-microsoftonline.oa.r.appspot.com
arched-elixir-280012.nw.r.appspot.com
outlook-0ffice365-0nline.nw.r.appspot.com
user7774398409.el.r.appspot.com
microsoft-secure-online.oa.r.appspot.com
d91ddd0c.el.r.appspot.com
c0lbltclsp.el.r.appspot.com
sapient-flare-279107.df.r.appspot.com
r444r0r0uuser.du.r.appspot.com
user1238090.el.r.appspot.com
login-microsoft-0nline.ts.r.appspot.com
logln-office365-0nline.wm.r.appspot.com
microsov.oa.r.appspot.com
useryxijxui99.an.r.appspot.com
secureduser.du.r.appspot.com
my-project-1-6316.ue.r.appspot.com
officecloudapp.ey.r.appspot.com
micro-app-284821.appspot.com
compact-pier-280012.nw.r.appspot.com
user12746463989284.el.r.appspot.com
cbu4397422nj.oa.r.appspot.com
mm9pnpnjj.an.r.appspot.com
datasec.du.r.appspot.com
user379834709348-0.oa.r.appspot.com
userzixmessage.du.r.appspot.com
secure-microsoft-online.oa.r.appspot.com
jalonf129431.uc.r.appspot.com
officecloudweb.oa.r.appspot.com
login-office365-microsoft.el.r.appspot.com
y80yyxccn.df.r.appspot.com
xh1643879264863098023.el.r.appspot.com
offmenow20249.uc.r.appspot.com
qnaqaaa08cowa.et.r.appspot.com
outlook-webapp-portal.el.r.appspot.com
logln-micr0s0ft-0nline.ts.r.appspot.com
user983270932.oa.r.appspot.com
civil-campaign-279715.el.r.appspot.com
eliduhjner.dt.r.appspot.com
qu10hh1qh.ts.r.appspot.com
corporate-onlinecloudfiles.df.r.appspot.com
user849494949.el.r.appspot.com
login-outlook-office365.el.r.appspot.com
user9765656787.et.r