Large-Scale AiTM Attack targeting enterprise users of Microsoft email services
Summary
ThreatLabz has discovered a new strain of a large-scale phishing campaign, which uses adversary-in-the-middle (AiTM) techniques along with several evasion tactics. Similar AiTM phishing techniques were used in another phishing campaign described by Microsoft recently here.
In June 2022, researchers at ThreatLabz observed an increase in the use of advanced phishing kits in a large-scale campaign. Through intelligence gathered from the Zscaler cloud, we discovered several newly registered domains that are used in an active credential-stealing phishing campaign.
This campaign stands out from other commonly seen phishing attacks in several ways. It uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication. There are multiple evasion techniques used in various stages of the attack designed to bypass conventional email security and network security solutions.
The campaign is specifically designed to reach end users in enterprises that use Microsoft’s email services. Business email compromise (BEC) continues to be an ever-present threat to organizations and this campaign further highlights the need to protect against such attacks.
In this blog, we describe details of the tactics, techniques and procedures (TTPs) involved in the campaign.
Since the campaign is active at the time of blog publication, the list of indicators of compromise (IOCs) included at the end of the blog should not be considered an exhaustive list.
Key points
Corporate users of Microsoft’s email services are the main targets of this large-scale phishing campaign.
All these phishing attacks begin with an email sent to the victim with a malicious link.
The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor.
In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign.
Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the US, UK, New Zealand and Australia are targeted.
A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks.
Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems.
Numerous URL redirection methods are used to evade corporate email URL analysis solutions.
Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign.
Phishing campaign overview
Beginning in June 2022, ThreatLabz observed a sharp increase in advanced phishing attacks targeting specific industries and geographies.
We identified several newly registered domains set up by the threat actor to target Microsoft mail services’ users.
Based on our cloud data telemetry, the majority of the targeted organizations were in the FinTech, Lending, Finance, Insurance, Accounting, Energy and Federal Credit Union industries. This is not an exhaustive list of industry verticals targeted.
A majority of the targeted organizations were located in the United States, United Kingdom, New Zealand, and Australia.
After analyzing the large volume of domains used in this campaign, we identified some interesting domain name patterns which we highlight below.
Domains spoofing Federal Credit Unions
Some of the attacker-registered domains were typosquatted versions of legit Federal Credit Unions in the US.
Attacker-registered domain name
Legit Federal Credit Union domain name
crossvalleyfcv[.]org
crossvalleyfcu[.]org
triboro-fcv[.]org
triboro-fcu[.]org
cityfederalcv[.]com
cityfederalcu[.]com
portconnfcuu[.]com
portconnfcu[.]com
oufcv[.]com
oufcu[.]com
Note: Per our analysis of the original emails using the Federal Credit Union theme, we observed an interesting pattern. These emails originated from the email addresses of the chief executives of the respective Federal Credit Union organizations. This indicates that the threat actor might have compromised the corporate emails of chief executives of these organizations using this phishing attack and later used these compromised business emails to send further phishing emails as part of the same campaign.
Domains spoofing password reset theme
Some of the domain names used keywords related to “password reset” and “password expiry” reminders. This might indicate that the theme of the corresponding phishing emails was also related to password reset reminders.
expiryrequest-mailaccess[.]com
expirationrequest-passwordreminder[.]com
emailaccess-passwordnotice[.]com
emailaccess-expirynotification[.]com
It is important to note that there are several other domains involved in this active campaign, some of them are completely randomized while others do not conform to any specific pattern.
Distribution mechanism
We have limited visibility into the emails used to distribute the phishing URLs. In some cases, the malicious links were sent directly in the email body; in other cases, the link was present inside the HTML file attached to the email.
Figure 1 below shows an email which contained an HTML attachment with the malicious phishing URL embedded inside it.
Figure 1: phishing email sent to the user with HTML attachment
Figure 2 below shows the contents of the HTML attachment. It uses window.location.replace() to redirect the user to the phishing page when the HTML page is opened with the browser.
Figure 2: HTML attachment used to redirect the user to the phishing page
Figure 3 below shows an example of a phishing email in which the attacker sent the malicious link directly in the email body.
Figure 3: Malicious link present in the email body
We observed the use of a variety of URL redirection methods in a large number of cases. Instead of sending the actual phishing URL in the email, the attacker would send links that used a variety of redirection methods to load the final phishing page URL. We describe the details of some of these methods in the following section.
Abuse of legitimate web resources for redirections
Phishing sites were seen being delivered, redirected into, and hosted using numerous methods.
A common method of hosting redirection code is making use of web code editing/hosting services: the attacker is able to use those sites, meant for legitimate use by web developers, to rapidly create new code pages, paste into them a redirect code with the latest phishing site’s URL, and proceed to mail the link to the hosted redirect code to victims en masse.
These services provide flexibility to the attackers, since the contents of the redirect codes can be changed at any time. It has been observed that in the midst of a campaign, attackers will modify the code of a redirect page and update a phishing site’s URL that has been flagged as malicious, to a fresh undetected URL.
The most commonly abused service for this purpose is CodeSandbox.
Figure 4 below shows the most common redirect code hosted on CodeSandbox, utilized by the phishing site.
Figure 4: redirect code snippet on an attacker-controlled CodeSandbox instance
Figure 5 below shows an example of redirect code hosted on a similarly abused service – Glitch.
Figure 5: redirect code hosted on an attacker-controlled Glitch instance.
Many dozens, if not hundreds, of different CodeSandbox code pages were observed hosting different redirect codes to the phishing sites.
Many of those pages were authored by a network of registered CodeSandbox users, letting us see the names of the Google accounts used for their registration.
While most Google accounts we could find are anonymous throwaway accounts that are a dead end to attribution efforts, an internet search of a few account names tie some of the authors to older, more primitive phishing campaigns, and also show a history of engaging in cryptocurrency investment/recovery scams.
Another method observed for URL redirection is the abuse of Open Redirect pages hosted by Google Ads and Snapchat. Figure 6 shows more details.
Figure 6: different methods of URL redirection abusing Open Redirect pages
Browsing to these links will immediately redirect the client to the URL specified in the GET parameter highlighted in blue colour.
This method gives the attackers the benefit of being able to send emails with links pointing to these legitimate sites as the entry point, with the actual phishing sites’ addresses only appearing somewhere in the GET parameters, raising the likelihood of evading scanning of malicious URLs performed by email clients.
Fingerprinting-based evasion
This campaign utilizes a client fingerprinting process on all phishing sites that we will cover in this article. This process happens immediately upon the page being visited.
The initial page clients are served consists of JavaScript code, ripped from the FingerprintJS project, whose purpose is to collect information from the client’s browser in order to help the site determine if the person behind the browser is in fact not an unsuspecting victim, but an unwelcome probing analyst or an automated bot.
The script gathers identifying information such as the client’s operating system, screen dimensions, and timezone, and communicates its findings back to the site by WebSocket traffic. The complete list of information gathered from the client’s machine is mentioned in the Appendix at the end of the blog.
Figure 7: Client fingerprint data sent to the server over websocket
With this information received, the site arrives at a verdict whether it should continue reeling in the client, or should it get rid of it by redirecting to the Google homepage.
How exactly the site decides this is unknown since the logic is present on the server side, but it has been observed that browsers running in virtual machines are detected by examining the name of the client’s graphics driver, as exposed by the WebGL API.
By default, VirtualBox and VMware make themselves known this way, and require some masking effort in order to pass this check, for example making use of browser setting `webgl.override-unmasked-renderer` on Firefox.
In case the site does not find a reason to suspect the client, it will serve it an authentication cookie that the client-side code will proceed to save before reloading the same page, this time receiving the main phishing page by the site.
Figure 8: Upon successful fingerprint process, site returns authentication cookie __3vjQ.
Proxy-based AiTM phishing attack overview
Traditional credential phishing sites collect the user’s credentials and never complete the authentication process with the actual mail provider’s server. If the user has multi-factor authentication (MFA) enabled, then it prevents the attacker from logging into the account with only the stolen credentials.
In order to bypass multi-factor authentication, attackers can use Adversary-in-the-middle (AiTM) phishing attacks. All the attacks which we describe in this article used the AiTM phishing attack method.
AiTM phishing attacks complete the authentication process with the actual mail provider’s server (in this case – Microsoft), unlike traditional credential phishing kits. They achieve this by acting as a MiTM proxy and relaying all the communication back-and-forth between the client (victim) and the server (mail provider).
There are three main open-source AiTM phishing kits available which are widely known in the community.
Evilginx2
Muraena
Modlishka
Based on our research, we believe that the threat actor in this case used a custom phishing kit. In the following section, we highlight some of the unique attributes we identified in the client-server communication which differs from the common off-the-shelf AiTM phishing kits.
We will not cover the technical details of how the AiTM phishing kits work in general since they are widely documented in the public domain such as here.
Unique attributes of the phishing kit
All advanced AiTM kits have in common that they operate as a proxy between the victim and the target site (Microsoft servers in our case).
The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works.
We observed several ways in which the phishing kit’s operation is distinguishable from the three open-source kits:
HTML parsing
It’s apparent that the phishing kit’s backend is making use of an HTML parser library, such as Beautiful Soup.
We can deduce this by comparing the messy, unindented HTML code arriving from Microsoft:
And the same HTML code as relayed by the phishing kit, tidied up and properly indented:
It is likely that the phishing kit feeds the HTML it reads from the Microsoft server into an HTML parser, which creates a programmatic representation of the entire HTML tree. This allows a programmer to conveniently manipulate the different elements by interacting with the objects that represent them.
Once the manipulation is done, the library produces an HTML output of the tree with all changes applied. This often results in a tidy output, as we see above.
The three open-source kits don’t make use of HTML parsers, instead operating on the received HTML data just by using basic string operations.
Domain translation
One of the things the kits need to take care of is replacing all the links to the Microsoft domains with equivalent links to the phishing domain, so that the victim remains communicating with the phishing site throughout the phishing session.
For example, Figure 9 below shows a side-by-side comparison of an HTML snippet. On the left is the original code as served by Microsoft, and on the right is the same code after it has undergone translation, on its way to be relayed to the victim.
Figure 9: HTML snippets before and after translation
The original subdomain (green), the original domain name (blue, minus the TLD), and a unique generated ID (pink) are joined together with dashes and become a subdomain under the phishing site’s domain (orange).
This translation pattern, namely the 8 hexadecimal digits ID added to links, appears unique to this phishing kit, and is not used by the three open-source kits.
However, there’s a case where this translation is not taking place.
The Office 365 login page, as part of a feature called “Azure Active Directory Seamless Single Sign-On”, communicates with Microsoft server `autologon.microsoftazuread-sso.com` in order to load company-specific scripts to offer this feature to the authenticating client.
The references to this server can be seen in this snippet of JavaScript, taken from the main Office 365 login page:
For one reason or another, the phishing kit does not perform translation on the links to `autologon.microsoftazuread-sso.com` shown above, and they make their way to the victims intact.
This results in the victim’s browser performing HTTP requests like the following, while loading the login page:
Effectively “leaking” the phishing site’s address as the referring site inside a request to the Microsoft server.
This opens up the possibility of detecting the kit in the act, if a victim’s HTTP traffic is monitored by network security solutions capable of deep packet inspection.
Post-compromise activity
To investigate the post-compromise activity, we set up an Azure AD instance in our lab with a dummy account and a domain controlled by us. We visited one of the live phishing URLs, supplied dummy account credentials, and completed the multi-factor authentication process.
In one case, we observed that the attacker logged into our account, 8 minutes after we sent our credentials to the attacker’s server. It is important to note that the attacker logged into the account from another IP address (different from the phishing domain’s IP address). Based on the delay of 8 minutes in post-compromise activity, we suspect that the threat actor is manually logging into the account.
Figure 10 below shows audit / sign-in logs from our lab’s Azure AD highlighting the post-compromise activity.
Figure 10: Azure AD sign-in logs highlighting post-compromise activity
At the time of our investigation, we did not see any specific post-compromise activity performed by the threat actor besides merely logging into the account, reading emails and checking the user’s profile information.
Zscaler’s detection status
Zscaler’s multilayered cloud security platform detects indicators at various levels, as seen here:
HTML.Phish.Microsoft
Conclusion
Business email compromise (BEC) continues to be one of the top threats which organizations need to protect against. As described in this blog, the threat actors are constantly updating their tactics, techniques and procedures (TTPs) to bypass various security measures.
Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions.
As an extra precaution, users should not open attachments or click on links in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials.
The Zscaler ThreatLabz team will continue to monitor this active campaign, as well as others, to help keep our customers safe.
Indicators of compromise
# Since the campaign is active at time of the publication and this threat actor is relentless in creating new domains almost every day, the IOCs below should not be considered as an exhaustive list.
Phishing domains
0mx1lntastantretatlanpassword[.]com
0mxus3rauthkeepsame[.]com
10311landex[.]com
206pms[.]com
2nbskull[.]com
333-77-6578-929-000[.]info
34533teams[.]xyz
365jhsgbxsncnsuye67[.]live
365maineventco[.]com
365voicemessage[.]com
3dfzlrtsiwfibvfyql96zt[.]live
455b3105mssvr[.]ml
5d4ba5ca-d814-4049-8ea3-af505f6e1e01[.]info
5thcolumn[.]accountant
7dmjmg20p8mty1nzexnjgzoc40ljeumty1nzexnzqxny4yng[.]co
7dmjmg20p8mty1ody5mjm4ms4xms4x[.]live
aaaaclub[.]net
aaaaoffice635u[.]com
abg-serviices[.]com
accionabdjv[.]ca
accvcam[.]com
acehomproducts[.]com
acqureioil[.]com
acuciondi[.]com
adlokali[.]com
adobe-06195[.]com
adobe-20648[.]com
adobe-54836[.]com
adobe-69451[.]com
adobe-91506[.]com
agoaci[.]click
agre-ae[.]com
agronne[.]com
aibels[.]com
aibie[.]me
aimedical[.]click
ainorsigns[.]co
ainswat[.]com
aismare[.]us
alamarcosmetics[.]xyz
alamoudiexchange-online[.]com
alamoudiexchang-online[.]com
alexmakanaki[.]com
almflrm[.]com
alnapeckagingco[.]com
altoma-report[.]com
amat-us[.]com
ambleasia[.]co
aminocx[.]xyz
am-jlll[.]com
appsinfo[.]xyz
aqkagjmyzg0otu5ltaznmitndjjms04zwrhlwnknd[.]us
aqriko[.]com
aquitainewine[.]click
araedt[.]com
aritcac[.]com
ascisoft[.]com
asdfghgfdsa[.]com
asianwaterjet[.]com
asn4[.]xyz
assetprovidingsupport[.]xyz
assoulne[.]com
atg1[.]xyz
atg2[.]xyz
audlgreenville[.]com
aufdreworld[.]com
auhrticezemkrt[.]com
auth17[.]com
autsolut[.]net
avantscapital[.]com
avis-corporation[.]com
azurenetworksauthx[.]us
baincoorp[.]com
bannesco[.]com
basinposal[.]com
bat-machinebouw[.]click
bbld[.]xyz
bckoffice[.]com
bdudhurujrhrsvdgdg[.]com
behringermails[.]com
benchrnark[.]com
bergspyderus[.]click
berightpw[.]com
bevcapmanagements[.]com
bewine[.]click
biibbeo[.]com
biofrontera-online[.]com
blackmorcpa[.]co
blockhoury[.]com
bluestoneqrp[.]com
bluewaterlogisticsgroups[.]com
boghdetgtahstak[.]com
bollinger-news[.]com
braagenh[.]com
brabinfo[.]xyz
bragmutual[.]org
brandisaw[.]pics
breadlaof[.]com
brendghsgsddczx[.]com
brentags[.]com
bryologyx[.]click
btfufu[.]com
btxinc[.]click
buildintegrated[.]click
businessresourceshq[.]com
buyhhcwholesale[.]com
c4xnjf[.]com
caassoclates[.]com
calling-phone[.]xyz
calspass[.]com
capitaln[.]org
casgravels[.]com
cds-ddd[.]com
celticvc[.]org
centament[.]com
chanpionpromotion[.]com
chemtge[.]com
chismstrategiies[.]com
cidkslhtrifmentinimtimesoffdots[.]xyz
cilakemillswius[.]click
cinquefonti[.]click
ci-resuorces[.]com
cityfederalcv[.]com
cityofchlcago[.]org
clearloginmailbox[.]com
clemenhagen[.]com
cloud-distributions[.]com
cnptrd[.]com
coastllnecapital[.]com
cohorted[.]click
colonyretirement[.]org
comlivess[.]com
commtraclfloors[.]com
comoholdingusa[.]com
comoutlooks[.]com
congregationanshaitorah[.]com
corned[.]co
costaenergyllc-report[.]com
cpipaneiis[.]com
craateoronlineecergynewnote[.]xyz
craigsintl[.]com
crossvalleyfcv[.]org
crswell[.]com
cscsteelsusa[.]com
cullensolicitors[.]com
cvcolebrook[.]click
damerche[.]com
dastoffidhtrifmentinimtimesoffdots[.]xyz
dastoffkmentinimtimesoffdoctas[.]ninja
davisellen[.]com
dbfjkndkhvsjfdyjdbdih[.]com
dechanghitach[.]com
dechocoladefabriek[.]click
dedrone-online[.]com
deseuwhioaks[.]xyz
destrooper-olivier[.]click
dextermags[.]com
dfrfeedback7w[.]com
difioreconstructions[.]net
dirtymoneydenger[.]xyz
discoverlewis[.]co
disgros[.]com
djtransportatlon[.]com
dkdnspmeitlo[.]com
dkfkofbnfiufbihfiuf[.]com
dlago[.]co
dlfcgzgpgwrdfjtkszrbzpzpwpndkd[.]com
dnsnamess[.]com
documentsharepoint[.]com
douglassedist[.]com
downs-energys[.]com
dphinc[.]org
drdrgroup[.]org
drussellccigroup[.]com
dse01[.]com
dsjusfd-lth[.]com
durascrete[.]com
dustaslde[.]com
dyndjdbhdjakshd[.]com
dynnata[.]com
ebclh[.]org
efcotac[.]com
efscystems[.]com
ehdd[.]net
ehdgffdsfd-bdvdbfdyue34dsscdssd[.]me
eiiisdone[.]com
ejidoater[.]com
elecorporattion[.]com
electronictransmission[.]net
elistsair[.]com
emailaccess-expirynotification[.]com
emailaccess-passwordnotice[.]com
email-verification-access-password-notificafions[.]com
emediartslab[.]com
encorebrard[.]com
encores-bz[.]com
endoselec[.]com
envizai[.]com
eriecommunltyfcu[.]org
etacenter[.]com
etiselat[.]com
etxfabs[.]com
eu-biuestarinc[.]com
excelavgroups[.]com
excelville[.]com
expirationrequest-passwordreminder[.]com
expiryrequest-mailaccess[.]com
exyta[.]net
fabirtek[.]com
fabrinet-globals[.]com
fabrinets[.]com
fahdsuk[.]com
faircapitallc[.]com
fcmilndia[.]com
fgtsolutions[.]co
filkjooor[.]com
finalmanstandlap[.]com
fiorettl[.]com
fiplodjfjfjnxjisski[.]com
firstablenefcu[.]org
flakestld[.]us
flowerandmore[.]biz
fmh-corp[.]org
foodjet[.]click
forbedentallab[.]com
fr-ggori[.]xyz
friendsofc-online[.]com
frontofflcce[.]com
fulier[.]ca
galatachemicals[.]net
garefl[.]com
gassentec[.]com
gatewaytubular[.]com
generalstores-be[.]click
genevainn[.]org
gennfed[.]com
ghllamak[.]com
ghvgghjjhbhbhb[.]com
gianjet[.]com
gimc-cocktail[.]com
girvlnassoc[.]net
goarnstrong[.]com
graycardinal[.]ca
greatwauecom[.]com
greenstalkholding[.]com
gsokoauyilpoi[.]com
gspwii[.]com
guardanthealths[.]com
hafe1e[.]com
haglaegis[.]com
halalog[.]com
halesjewelers[.]org
harvestclhurchba[.]com
hasseco[.]co
hawaiianpr0p[.]com
hcisystem[.]net
healths-law[.]com
heibraunievey[.]com
hgjvdfvfh[.]com
hhppny[.]com
hidefsurveying[.]info
hjdlsksfhhn[.]com
hokualakavai[.]com
holder-fcl[.]com
horizonholdlngs[.]com
horstandgrabenwealth[.]xyz
hsshd729s[.]com
huguhsings[.]com
iaunchfinance[.]com
imperialprecision[.]org
inboxmainchil[.]com
infokeysinc-mlcrosoftpasswdd[.]com
infomicrosoft[.]net
innfinancial[.]net
insaertab[.]com
instagzone[.]com
intelliclicksoftware-online[.]software
intrepidpotashs[.]com
ireataeoronlineecergynewnote[.]xyz
isccontractings[.]com
ispschools[.]co
itsonlinewiththefileofficeofficial[.]xyz
iukygt98yu09i8iuy908iuy908iuytrgfh67[.]com
jcb[.]cx
jsptsenergy[.]com
jukiyq[.]com
junnioehsnsbh7[.]me
kathisp[.]com
kbnoffice[.]com
keep356fgfhgutryt[.]com
keepsettingsinfoanon[.]com
kickte[.]com
kiymanfinancial[.]com
kj4brvghvjk[.]com
kleinfalder[.]com
klimateshield[.]net
knyjbio[.]com
koc-tr[.]com
kreagermitchell[.]click
ktorresrray[.]com
kupolae[.]com
kushyedhfman[.]com
lakrvsm[.]com
lanckstele[.]com
lang-cq[.]com
leedseng[.]com
levaelld[.]com
lfiliumination[.]com
lifetechrned[.]com
litechcking[.]xyz
lityrest[.]com
liwsupply[.]com
lkhgfghccghgh366555[.]com
lmscorp-us[.]com
lnstream[.]net
lntrecash[.]com
logindri-veshare[.]live
loginmicrossft[.]co
logsettingsforlog[.]com
lointree[.]com
longetivity[.]co.uk
m0367d6378b355472d879736b7350[.]live
m0autthxxd47[.]com
mabdhufbwkshudgvhu[.]com
madasmaneudonedeo[.]com
mailpasswordexpiry-reminder[.]com
mailscancache[.]com
mailstoragenoticeonline[.]com
makairalandscaqe[.]com
managementlocks[.]com
mandnsjeyrusmskbdv[.]com
mansoolsnsjwuajshd[.]com
mapdatew[.]com
marshwestin[.]com
marynellmalonyelawfirm[.]com
mashcapyusu[.]org
mashroecy[.]com
maxismstaffing[.]com
mcrosftpasswd-activity[.]com
melograno[.]click
meqal-secure[.]com
merrakii[.]com
messageallianceclue[.]com
mhkspartners[.]com
miccrosoftttoficee365[.]com
miccrrosoftsecure[.]com
microtki[.]com
mindfulbirthnj[.]com
mirevabalika[.]xyz
mlcc-asminternational[.]us
mllklabor[.]org
mlly[.]xyz
moralibbx[.]xyz
morent[.]co
moreoff376[.]com
morrisonheshfield[.]com
mrecateoronlineecergynewnote[.]xyz
mscenter-exchangeinfo[.]ga
mscenter-exchangeprotect[.]ga
mscenter-exchangeprotect[.]ml
mscenter-protectexchange[.]ga
mscenter-protectexchange[.]ml
mscenters-exchangeprotects[.]ga
mscenters-exchangeprotects[.]ml
mscomplaince-exchangemx[.]ga
mscomplaince-exchangemx[.]ml
mservcfrduud[.]com
mslawtc[.]com
mso-10[.]com
mso-4[.]com
mso-6[.]com
msokool[.]com
msonline[.]club
msprotect-exchangemx[.]cf
msprotect-exchangemx[.]ml
mssoleop[.]com
mtfbs[.]click
mxfdsam3new[.]com
mypage-corporate[.]com
myplos[.]com
nailbur[.]com
nanbhx[.]com
nce-sg[.]com
netcapittal[.]com
newmanregencytransmission[.]com
newmansimpsons[.]com
newrecalluser[.]com
newttech-sys[.]com
nfnoffice[.]com
nkccpa[.]com
nlmeks[.]com
nmed-lab[.]com
nordicstrustee[.]com
northvolts[.]com
ntgent-be[.]click
nutritionadvisors[.]org
ny-vee[.]co
oauth7[.]com
ofccuu[.]com
officefilest[.]com
officeoutteamworkstation[.]com
offilincom[.]com
offjkhgvc[.]com
offwmi[.]com
oniline-mics[.]com
onlineoffce[.]com
onlinservices[.]club
onsettingsdav[.]com
ophoustons[.]com
oreqonaero[.]com
os1connect[.]com
oslappy[.]com
oufcv[.]com
ourin[.]xyz
outlookfilesauthentication[.]com
ovfcv[.]com
owlautoai[.]com
owlwarrantyai[.]com
oxtelidi[.]com
paccommtg[.]com
paceqallery[.]com
paksolvtionsusa[.]com
palcogenerator[.]com
pars-org[.]com
passportinc-onlinecom[.]com
password00verification385518485[.]com
password0verify6767971208[.]com
pathwavscu[.]com
patterrnenergy[.]com
pbiapp[.]com
pelladrect[.]com
pepslco[.]com
perfectsmile-dcntal[.]com
perkinlawtx[.]com
permobill[.]com
pflzer[.]co
pheniexnt[.]com
pilarcu[.]com
playboyhouse[.]xyz
playersoft[.]co
poetape[.]com
poiu767678i89p98o7o98po9p7p67p7op654re[.]com
portalquery-expirynotice[.]com
portalresolve-reminder[.]com
portconnfcuu[.]com
povndmgt[.]com
pqkkwkkskdjqwpokhjqoqpqpakqpqiwqqpqowqpwooq[.]com
preferred-properties[.]info
pressin[.]xyz
pretressservices[.]com
priaso[.]com
primwests[.]com
progressim[.]click
project-scop[.]com
project-scop[.]live
psscontractor[.]com
pyxislogistics[.]click
qsummary[.]online
quintadapraiaverde[.]com
qwlckrate[.]com
r4services[.]org
radsotek[.]com
railsone-usa[.]com
ramsmtgcaps[.]com
ranndlog[.]com
raptrotech[.]com
rchrsc[.]com
reddinc[.]org
registration-forms[.]us
reidterrasolution[.]com
res-report[.]us
riuyimachine[.]com
rmcdmcc[.]com
rnechcollc[.]com
rodlncoinc[.]com
ructioninc[.]com
sablepw[.]top
safelinks[.]online
saicorp[.]co
salesforcie[.]com
sancoent[.]org
sanleandroford[.]click
sbvdjhsadbvjfrkuvfbhdhd[.]com
scbhubonc[.]co
schmidoffice[.]click
scotchdale[.]click
secrelogrussmake[.]com
sembmarine-online[.]com
seneca-report[.]com
serviceproviderrs[.]com
servicewebofficeindex361loginemail[.]online
settings0365[.]com
shaftdesign[.]click
shapshap22[.]com
share-access-notifications[.]com
sharepoint-access-notifications[.]com
shdjfbfjfskjdfyfgngjgjg[.]com
shelils[.]com
shenoeup[.]com
siemens-energv[.]com
siktadmog[.]com
single-temps[.]com
situationintarective[.]com
sixspartnerrs[.]com
sjsjsjsjsjsjsjsssjsj[.]club
slakdkslpeop[.]com
somaloglc[.]org
spcc-toledo[.]net
sproquela[.]com
sroauth[.]xyz
ssosignons356[.]com
stablematerials[.]com
stanepp[.]org
steelwrists[.]com
stefany1990[.]click
stenfordedu[.]com
stocksfroozen[.]xyz
stonecastlepartnerrs[.]com
styguhidsyhuidsyzuhids7husd78xds7zx8ds7zx89jids[.]com
subsiquent-protection[.]xyz
substentialsecurepron[.]xyz
sumiy0shi[.]com
swesreport[.]com
sxhygdhsg[.]co
synergipartnars[.]com
sysvamps[.]com
tahoebiltmore[.]org
tankequipments[.]com
temcopi[.]com
teremilazer[.]com
terminalvfest[.]co.uk
terracon-report[.]com
terryappraisalsgroup[.]com
texantitle-report[.]com
theeveristco[.]com
thejyygroup[.]com
themaplob[.]com
thereportbot[.]com
tigoenergym1crosoft-passwd[.]com
tmasites[.]co.uk
tmhfcv[.]org
tonic-collective[.]live
triboro-fcv[.]org
tri-iinc[.]net
truebjj[.]com
tuemereliaz[.]com
ud8sa[.]com
ulakhaberlesme-online[.]com
unidinex[.]com
uniltedrental[.]com
unionblz[.]org
unltedrental[.]com
urbantrustscapital[.]com
urw-us[.]com
ushinsk[.]com
uswurskland[.]com
utpostra[.]com
uueb837en[.]com
uzomafoundation[.]com
valentern[.]com
vectaenvironml[.]xyz
venovoice[.]online
ventiott[.]com
vesonn[.]com
vicetelejhgvfhj[.]com
viewsprotech[.]com
villatelperu[.]com
vistabank-report[.]com
vitox[.]click
vm-buscall[.]club
vmonlineservice[.]xyz
vmsendermails[.]xyz
vm-service[.]xyz
vodafonex[.]online
von-lincs[.]shop
vrmarath0n[.]com
vurijuireiujmfdusijeruijmfudisjdsaim[.]com
waunacvorg[.]com
webcore2[.]com
webcore3[.]com
webmailservice[.]site
websecuritynotice[.]com
weldongranger[.]com
wellingtons-partners[.]com
westmariinfund[.]org
whoerkemshdh[.]com
wiliampenn[.]com
windssorservices[.]com
wis3po-1k60i5bn-jwza24[.]com
wittial[.]com
wonjiinco[.]com
workenterservice[.]com
worldexchangechbe[.]com
xcduoyuuwa[.]com
xlikk[.]com
yhjfdhgjdhunjdyuidesuidsuihjfdjkies[.]com
yickhoesgroup[.]com
yolmathy[.]com
zhongt0ng[.]org
Codesandbox URLs
clxbcj.codesandbox[.]io
c0poft.codesandbox[.]io
ekwg9l.codesandbox[.]io
epovr9.codesandbox[.]io
er849r.codesandbox[.]io
fnqynt.codesandbox[.]io
hjfsty.codesandbox[.]io
iz8ieq.codesandbox[.]io
jkvpu5.codesandbox[.]io
j3buwf.codesandbox[.]io
kg4pxm.codesandbox[.]io
k54431.codesandbox[.]io
k8zngr.codesandbox[.]io
lq1nq3.codesandbox[.]io
mvis9x.codesandbox[.]io
on8pb2.codesandbox[.]io
pc292i.codesandbox[.]io
pjoumm.codesandbox[.]io
quzqvm.codesandbox[.]io
rn8hs6.codesandbox[.]io
sjtug9.codesandbox[.]io
tz29yo.codesandbox[.]io
u2xyhg.codesandbox[.]io
xdtmw5.codesandbox[.]io
y7dp2d.codesandbox[.]io
zwec9y.codesandbox[.]io
286755.codesandbox[.]io
3fytwq.codesandbox[.]io
34ovuk.codesandbox[.]io
62zy6b.codesandbox[.]io
660o5v.codesandbox[.]io
7o7ttl.codesandbox[.]io
77du0t.codesandbox[.]io
8nk0ds.codesandbox[.]io
9xybgc.codesandbox[.]io
Glitch URLs
bald-savory-whippoorwill.glitch[.]me
curvy-spiritual-dirt.glitch[.]me
deep-blossom-dichondra.glitch[.]me
jolly-hospitable-hygienic.glitch[.]me
prism-principled-eucalyptus.glitch[.]me
showy-clammy-riddle.glitch[.]me
tabby-pattern-curiosity.glitch[.]me
Appendix
Client fingerprint collected
{u’data’: {u’appCodeName’: <string>,
u’appName’: <string>,
u’audioCodecs’: {u’aac’: <string>,
u’m4a’: <string>,
u’mp3′: <string>,
u’ogg’: <string>,
u’wav’: <string>},
u’automation’: [<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>,
<boolean>],
u’battery’: <boolean>,
u’cookieEnabled’: <boolean>,
u’debugTool’: <boolean>,
u’devtools’: <boolean>,
u’document’: {u’characterSet’: <string>,
u’charset’: <string>,
u’compatMode’: <string>,
u’contentType’: <string>,
u’designMode’: <string>,
u’hidden’: <boolean>,
u’inputEncoding’: <string>,
u’isConnected’: <boolean>,
u’readyState’: <string>,
u’referrer’: <string>,
u’title’: <string>,
u’visibilityState’: <string>},
u’etsl’: <integer>,
u’hardwareConcurrency’: <integer>,
u’hasChrome’: <boolean>,
u’javaEnabled’: <boolean>,
u’language’: <string>,
u’languages’: [<string>, <string>],
u’mediaSession’: <boolean>,
u’mimeTypes’: [<string>, <string>],
u’multimediaDevices’: {u’micros’: <integer>,
u’speakers’: <integer>,
u’webcams’: <integer>},
u’permissions’: {u’accelerometer’: <string>,
u’ambient-light-sensor’: <string>,
u’ambient_light_sensor’: <string>,
u’background-fetch’: <string>,
u’background-sync’: <string>,
u’background_fetch’: <string>,
u’background_sync’: <string>,
u’bluetooth’: <string>,
u’camera’: <string>,
u’clipboard-write’: <string>,
u’clipboard_write’: <string>,
u’device-info’: <string>,
u’device_info’: <string>,
u’display-capture’: <string>,
u’display_capture’: <string>,
u’geolocation’: <string>,
u’gyroscope’: <string>,
u’magnetometer’: <string>,
u’microphone’: <string>,
u’midi’: <string>,
u’nfc’: <string>,
u’notifications’: <string>,
u’persistent-storage’: <string>,
u’persistent_storage’: <string>,
u’push’: <string>,
u’speaker-selection’: <string>,
u’speaker_selection’: <string>},
u’platform’: <string>,
u’plugins’: [<string>,
<string>,
<string>,
<string>,
<string>],
u’referrer’: <string>,
u’screen’: {u’cHeight’: <integer>,
u’cWidth’: <integer>,
u’orientation’: <string>,
u’sAvailHeight’: <integer>,
u’sAvailWidth’: <integer>,
u’sColorDepth’: <integer>,
u’sHeight’: <integer>,
u’sPixelDepth’: <integer>,
u’sWidth’: <integer>,
u’wDevicePixelRatio’: <integer>,
u’wInnerHeight’: <integer>,
u’wInnerWidth’: <integer>,
u’wOuterHeight’: <integer>,
u’wOuterWidth’: <integer>,
u’wPageXOffset’: <integer>,
u’wPageYOffset’: <integer>,
u’wScreenX’: <integer>},
u’serviceWorker’: <boolean>,
u’timezone’: <string>,
u’userAgent’: <string>,
u’vendor’: <string>,
u’videoCodecs’: {u’h264′: <string>,
u’ogg’: <string>,
u’webm’: <string>},
u’visitorId’: <string>,
u’webRTC’: <boolean>,
u’webXR’: <boolean>,
u’webgl’: <string>},
u’ftype’: <string>}
*** This is a Security Bloggers Network syndicated blog from Blog Category Feed authored by Sudeep Singh. Read the original post at: https://www.zscaler.com/blogs/security-research/large-scale-aitm-attack-targeting-enterprise-users-microsoft-email-services