Two ongoing phishing campaigns are leveraging Microsoft’s Azure Blob Storage in order to steal users’ Outlook and Microsoft account credentials.
Software security firm EdgeWave first announced its discovery of the attacks in February 2019. In the first campaign, attackers sent out emails notifying users that the information associated with their Office 365 account was outdated. These fake notices then threatened to terminate the users’ subscription unless they agreed to log into their account and update their information.
After they clicked on the “Update account information” button, the campaign redirected the users to a landing page that masqueraded as their employer’s Outlook Web App. The page contained a fake login feature designed to steal users’ Office 365 credentials.
EdgeWave also observed another campaign that sent out fake Workplace by Facebook notification emails. These messages tried to trick recipients into clicking a “View More Posts” button. If the users complied, the operation redirected them not to a Workplace site but instead to a landing page designed to phish for users’ Office 365 credentials. (The emails did come with an “unsubscribe” link that pointed to a valid Workplace page, but this asset pertained to another organization entirely.)
Where Azure Blog Storage Comes in
The two campaigns described above stand out for their use of Microsoft Azure Blob Storage
, cloud object storage which enables users to store any type of unstructured data including documents and video. Specifically, the individuals behind these two attacks leveraged Blob Storage to host their phishing pages. They likely gave themselves a major advantage as a result.
“This is because all Azure Blob Storage URLs use the windows.net domain, which makes it appear as a legitimate Microsoft run service,” explains Bleeping Computer founder and owner Lawrence Abrams in a blog post
. “For example, one of the now defunct phishing links had an URL of https://1drive6e1lj8tcmteh5m.z6.web.core.windows.net/, which to many users would appear legitimate due to the associated domain name.”
As an added bonus, every URL on Azure Blob Storage uses a wildcard SSL certificate from Microsoft. This document in effect gives each phishing page a lock icon in the address bar, thereby adding a sense of legitimacy to each fraudulent site.
By no means is this the first time that digital attackers have abused Azure Blob Storage. In September 2018, AppRiver
(now part of Zix) detected a phishing campaign leveraging Azure Storage to masquerade as Microsoft’s OneDrive storage and steal users’ credentials. Netskope observed something similar a month later when a PDF decoy document linked to an Office 365 phishing page hosted in Azure Blob Storage. Just a few days after that, Proofpoint revealed how attackers were using templates hosted in Azure to create Hurricane Michael phishing schemes.
Defending against Phishing Campaigns that Use Azure Blob Storage
Security professionals can defend against phishing campaigns that use Azure Blob Storage by investing in a robust email security solution. This tool should be able to analyze suspicious emails based on their URLs, campaign patterns, malware signatures and other indicators while allowing legitimate correspondence to get through. It’s these features that ZixProtect used to detect and block the two campaigns observed by EdgeWave.
Sean Vogt, associate product manager at Zix, said that ZixProtect was able to pinpoint some unique characteristics about some of the attack emails in the course of its analysis:
What’s interesting is how often some of the messages reference the victim’s email address domain name to help legitimize the attack. Not only do they spoof the recipient as the sender, which makes blocking these emails that much easier. They also reference the user’s email address in the subject line and three times in the body.
Given the constant influx of increasingly sophisticated phishing emails, organizations need a multi-layered solution like ZixProtect to keep their systems and sensitive data safe. Click here
to learn more about how this advanced threat protection tool works.