ThreatLabZ, the Zscaler threat research team, recently observed a new series of Microsoft-themed phishing attacks aimed at senior-level employees at multiple organizations. The Zscaler cloud has blocked over 2,500 of these phishing attempts over the last three months. The attack is notable for its targeted aim at senior business leaders with titles such as Vice President and Managing Director who are likely to have a higher degree of access to sensitive company data. The aim of these campaigns is to steal these victims’ login credentials to allow threat actors access to valuable company assets.
Attacks have been spread across a range of industries, with the heaviest activity in the banking and IT sectors. We are unable to attribute these attacks to any particular threat actor at this time.
In these attacks, victims receive what appears to be automated emails from their unified communications tools indicating that they have a voicemail attachment. When they click the attachment, victims encounter a fake Google reCAPTCHA screen, and then are directed to what appears to be a Microsoft login screen, allowing threat actors to steal their login credentials. The phishing pages are hosted by using .xyz, .club and .online generic top level domains (TLDs).
Fig 1: The phishing hits observed in our Zscaler cloud over eleven weeks (.xyz, .club and .online)
ThreatLabZ discovered these phishing URLs in our Threat Intelligence framework, and additionally received several submissions to the ThreatLabZ URL risk analyzer tool. Similar phishing campaigns utilizing fake Google reCAPTCHAs have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020.
In this blog, we break down the full attack cycle of the Microsoft phishing campaigns hosted using the .xyz, .club and .online generic TLDs, and include a full list of the phishing domains that were observed. We have also included a chart breaking down the number of attacks by industry and by title to shed more light on the impact of this campaign.
.xyz TLD phishing campaign:
In the .xyz TLD phishing attacks, threat actors send a spam email addressed from a unified communications system with an attached HTML file that is purported to be a voicemail message.
Fig 2:The spam mail with HTML file attachment.
The following figure shows the content of the HTML file with a phishing URL server[.]mvmail365office[.]xyz.
Fig 3: The source code of the attached HTML file vmail-219.HTM.
Once the victim opens the attached HTML file, it redirects the user to the .xyz phishing domain which is disguised as a legitimate Google reCAPTCHA page in order to trick the users.
Fig 4: The fake Google reCAPTCHA page.
Fig 5: The source code of the fake Google reCAPTCHA page.
Once Google reCAPTCHA “verifies” the user, it redirects the user to the fake Microsoft login phishing page.
Fig 6: The fake Microsoft login screen.
Fig 7: The actual content of the fake Microsoft phishing page.
After giving the login credentials, the phishing campaign will show a fake message that says “Validation successful.” Users are then shown a recording of a voicemail message that they can play, allowing threat actors to avoid suspicion.
Fig 8: The fake Microsoft account validation page.
Fig 9: The post-infection traffic captured in Fiddler.
Fig 10: Fake voice message directed from the phishing campaign.
Fig 11: The overall web traffic of the Microsoft phishing campaign captured in Fiddler.
.club TLD phishing campaign:
Similar to the .xyz TLD campaign, the .club TLD phishing campaign begins with the attackers sending spam mail with an attached HTML file addressed from a unified communications system. It then follows with a fake Google reCAPTCHA, fake Microsoft login screen, and ends by showing the user a hosted .PDF file.
Fig 12:The spam mail with attached HTML file ATT34698.HTM.
The following image shows the obfuscated content of the attached HTML file.
Fig 13: The obfuscated content of the attached HTML file.
Fig 14: The de-obfuscated content of the HTML file with the phishing URL.
In this instance, the hosted phishing campaign used the domain volp[.]makersvlib[.]club with the fake Google reCAPTCHA method.
Fig 15: The fake Google reCAPTCHA page uses the .club TLD domain.
Fig 16: The fake Microsoft phishing campaign volp[.]makersvlib[.]club.
Fig 17: The fake PDF file hosted displayed post credential theft.
Fig 18: The overall web traffic of the hosted phishing campaign using .club TLD domain.
.online TLD phishing campaign:
In the .online phishing campaign, the threat actors send users a PDF file with the attached phishing campaign link secure[.]nealrose-lawofficerecords[.]online along with a directive that says “REVIEW SECURE DOCUMENT.” Once the user clicks the file, they are redirected to a fake Google reCAPTCHA followed by a fake Microsoft login screen; post-compromise they are redirected to a Google.com search page.
Fig 19: Spam PDF file redirects to the phishing campaign secure[.]nealrose-lawofficerecords[.]online
Fig 20: The fake Google reCAPTCHA page uses the .online TLD domain.
Fig 21: The fake Microsoft phishing campaign(secure[.]nealrose-lawofficerecords[.]online).
Fig 22: The final destination page (Google.com) after compromise.
Fig 23: The overall web traffic of the hosted phishing campaign using .online TLD domain
Conclusion
The Zscaler cloud blocked more than 2,500 targeted Microsoft-themed phishing attacks over the past three months that were hosted using the generic TLD (.xyz, .club, .online) domains.
The following diagram represents the top industries targeted by this phishing campaign, based on ThreatlabZ analysis:
Fig 24: Percentage of detected phishing hits observed by industry in the Zscaler cloud.
Fig 25: Here is the distribution of the targeted employee designations.
IOCs:
.xyz TLD phishing domains:
a-bl[.]xyz
a-cl[.]xyz
a-it[.]xyz
a-ll[.]xyz
a-rt[.]xyz
aouthsmm[.]vmvoicepss[.]xyz
ay[.]tarr0-trubg4[.]xyz
b-ic[.]xyz
b-on[.]xyz
b-oy[.]xyz
b-ut[.]xyz
bh[.]voxxx-vog[.]xyz
bm[.]vpm-vpx[.]xyz
bm[.]xoxi[.]xyz
bo[.]gi9ygh-gko[.]xyz
c-ad[.]xyz
c-hi[.]xyz
c-sv[.]xyz
c-tl[.]xyz
c-ut[.]xyz
cn[.]c7no-l3onr[.]xyz
connect[.]linktechonline[.]xyz
cu[.]b0t3ion-nplus[.]xyz
d-cj[.]xyz
d-ol[.]xyz
db[.]mscall[.]xyz
df[.]sfrf0d-ffdf8[.]xyz
dh[.]xoxi[.]xyz
e-pl[.]xyz
e-rl[.]xyz
e-xp[.]xyz
e-xt[.]xyz
e-ye[.]xyz
emouths[.]southsvm[.]xyz
en[.]g-ts[.]xyz
en[.]s-ir[.]xyz
evmoises[.]axvoipsee[.]xyz
evoipses[.]vmvoicepss[.]xyz
f-at[.]xyz
f-oc[.]xyz
f-yi[.]xyz
fox[.]gen-voicemh[.]xyz
gb[.]g-ta[.]xyz
h-en[.]xyz
h-jy[.]xyz
i-is[.]xyz
i-tt[.]xyz
ii-j[.]xyz
j-an[.]xyz
j-kj[.]xyz
j-oc[.]xyz
j-on[.]xyz
j-s1[.]xyz
j-ss[.]xyz
jk[.]voxxx-vog[.]xyz
l-it[.]xyz
m-lj[.]xyz
main[.]net-data[.]xyz
mh[.]vowvog[.]xyz
monsvm[.]dgomesx[.]xyz
mp[.]j-mi[.]xyz
ms-dn[.]xyz
msg[.]l-x[.]xyz
mu[.]op9co-sand9u[.]xyz
nnhousts[.]ovoicess[.]xyz
o-su[.]xyz
of-f[.]xyz
om[.]lo0d0-dom1[.]xyz
on[.]l-x[.]xyz
open[.]weprotect[.]xyz
ot[.]bk9hd-ghfi[.]xyz
outhes[.]kmaouths[.]xyz
outhsome[.]svoipse[.]xyz
ov[.]j4hm-i3lbad[.]xyz
p-ai[.]xyz
p-gd[.]xyz
p-kg[.]xyz
p-ra[.]xyz
qwerty[.]casaholic[.]xyz
r-al[.]xyz
r-im[.]xyz
rm[.]vioce[.]xyz
rr[.]fol1-dus0[.]xyz
s-c-srv[.]xyz
s-vl-srv[.]xyz
s-vr[.]xyz
sa[.]n7go-son9[.]xyz
secure[.]weprotect[.]xyz
serv[.]vmail0ffice365[.]xyz
server[.]latvoice365[.]xyz
server[.]mvmail3650ffice[.]xyz
server[.]vmail0ffice365[.]xyz
server[.]vmilogg365[.]xyz
server[.]vmilogger365[.]xyz
server[.]voipvmi365[.]xyz
service[.]linktechonline[.]xyz
service[.]techfirmonline[.]xyz
servnet[.]vmilogg365[.]xyz
servnet[.]voicelineo365[.]xyz
servnet[.]voipo365vm[.]xyz
smouths[.]xvomess[.]xyz
southssm[.]dgomesx[.]xyz
ss[.]jan-4anu[.]xyz
ss[.]kss90-csmi8[.]xyz
sv[.]j-ss[.]xyz
svoipses[.]xvomess[.]xyz
t-wo[.]xyz
th[.]goli90-byx[.]xyz
ty[.]ety3-gyih[.]xyz
v-at[.]xyz
v-jz[.]xyz
vc[.]j-ml[.]xyz
vm[.]creek-nell[.]xyz
vm[.]lookhere-now[.]xyz
vmaxs[.]xvbouses[.]xyz
vmhomes[.]xvomess[.]xyz
vmhomses[.]svoipse[.]xyz
vmhosmm[.]svousnom[.]xyz
vmouses[.]xvbouses[.]xyz
vmouths[.]hotvoiss[.]xyz
vn[.]mack-reck[.]xyz
vn[.]under-cove[.]xyz
vnmouths[.]kmaouths[.]xyz
voipses[.]axvoipsee[.]xyz
vu[.]trf68oo-gh7[.]xyz
vu[.]vrte[.]xyz
vv[.]0bot3-kali[.]xyz
vvousokes[.]xvoicses[.]xyz
www[.]en[.]g-ts[.]xyz
x-ac[.]xyz
xo[.]gen-voicemh[.]xyz
xx[.]ko3-s0nius[.]xyz
z-am[.]xyz
zh-o[.]xyz
zomouths[.]otlcvoce[.]xyz
.club TLD phishing domains:
authentication[.]vmclouds[.]club
d-at[.]club
docc[.]mancvoicedoc[.]club
dq[.]dingvoizs[.]club
evoipses[.]xvoisesx[.]club
h-at[.]club
i-at[.]club
l-at[.]club
nomailses[.]xvoisesx[.]club
ox[.]din4-h0nt[.]club
p-at[.]club
sh[.]dingvoizs[.]club
t-at[.]club
volp[.]hukslert[.]club
volp[.]makersvlib[.]club
volp[.]volssbalert[.]club
vvmails[.]xvoisesx[.]club
xx[.]vam-gij[.]club
.online TLD phishing domains:
app[.]lawofficeneal[.]online
app[.]nealrose-lawoffices[.]online
files[.]lawoffice-nealroseberg[.]online
files[.]lawofficesof-nealrose[.]online
secure[.]lawoffices-of-neal[.]online
secure[.]nealrose-lawofficerecords[.]online
secured[.]lawfirmnearl[.]online
secured[.]rosellawassocciates[.]online
