The last week of June and early July saw a surge in zero-day phishing attacks targeting both corporate Microsoft/Outlook logins and personal web services (e-commerce, streaming, and email) on work devices. Threat actors employed sophisticated tactics – from obfuscated JavaScript and fake OAuth login flows to Telegram-based exfiltration – allowing many of these phishing pages to evade traditional detection measures. Here are some examples and highlights.
Phishing URLs
boa[.]devicehub[.]co/login
s3[.]lax[.]sharktech[.]net
ru0[.]eotskyj[.]es
zolotayanora[.]com
nextflyerpub[.]store
cpcontacts[.]164-92-78-92[.]cprapid[.]com
fhi9o09i5[.]uywpk[.]es
j43okxouoz0[.]franksdarmatology[.]com
webmail[.]50-6-111-88[.]cprapid[.]com
Microsoft Spearphish and Telegram Bot Exfiltration
This period witnessed a number of interesting attacker techniques like the use of Telegram Bot APIs and clever techniques to conceal page content.
On July 2, a staff member at a Texas organization clicked a Microsoft Outlook spear-phish delivered via a file share link.
The stolen credentials were not sent to a typical web server; instead, the page used the Telegram Bot API to exfiltrate captured passwords and user data in real time. This tactic provides the attacker with an anonymous, easy channel for data theft while helping the phish bypass traditional defenses. Another Texas employee the same day fell for a similar Microsoft 365 phish.
This page hid a massive block of obfuscated JavaScript in its code – likely to conceal malicious tracking or keystroke logging scripts, making static analysis difficult.
On June 24, a Kentucky employee clicked the below link to an Office 365 sign-in page.
The phishing page’s HTML was entirely encoded into a single string passed to a document.write(unescape(…)) function. This meant the page’s content was only rendered at runtime, helping it evade detection from security scanners that rely on static HTML analysis.
In early July, another Kentucky user was lured to a fraudulent Outlook Web Access page that employed multiple evasive techniques.
The HTML payload was encrypted and only decrypted in-browser to reveal the fake login form. It also contained scripts to hijack the user’s clipboard and prevent copying of content. It further set special meta tags to prevent caching or sandboxing by web crawlers.
On June 23, an employee at a Washington organization clicked the below spear-phishing page, which loaded several resources from legitimate Microsoft content delivery networks (such as aadcdn.msauth.net and aadcdn.msftauth.net) and even referenced Microsoft’s own “Watson” telemetry service in its code.
E-commerce and Streaming Phishing on Personal Devices
This mid summer period saw a surge in spearphishing targeting corporate users on their personal accounts, particularly Amazon account phishing.
On June 30, a Texas employee clicked a fake Amazon login page on their work device, including fake “Sign in with Google” and “Sign in with Facebook” authentication flows, designed to steal multiple types of identity credentials.
Another Amazon credential harvester was clicked on June 29 targeting a Kentucky user, employing a carbon copy of Amazon’s multi-stage login flow.
Behind the scenes, a suspicious JavaScript function was executing silently every few milliseconds, sending stolen data back to a remote command-and-control server. This aggressive data-capture mechanism allowed the attacker to siphon additional information (potentially session data or two-factor tokens) beyond just the username and password.
The period also included Netflix and AOL spearphish targeting corporate users in Kentucky, with tactics including aggressive device fingerprinting and fake Google Captchas.
Mitigations
- Block the specified domains on corporate firewalls and endpoint security solutions.
- Remind users of phishing risks for their personal accounts they access even if they are on corporate devices
- Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.
- Protect your users from the next wave of zero day phishing attacks and schedule a demo.
threatresearch@pixmsecurity.com
Recent Comments