In a recent report by Sergiu Gatlan at Bleeping Computer, he covers the details of a phishing campaign being tracked by the Security Intelligence Team at Microsoft. The campaign, which aims to trick targeted individuals into typing their Microsoft account password into a fake Microsoft logon page, is attempting to utilize multiple methods to evade detection as well as analysis. One such technique is the use of multiple redirections in a chain with a unique subdomain for each target, using the recipient username and the organization name in the subdomains. This results in a wide variety of unique URLs that are harder for defenders to share with each other and proactively block in network security controls. Microsoft also noted that to increase the appeal of the subdomain, it would include a random list of strings such as “Password Update”, “Exchange proteccion”, “Helpdesk-#”, “SharePoint”, or “Projects_communications” in an attempt to have an increased click rate to the redirect. The redirect subdomain also can detect sandboxes to evade analysis. If a sandbox is detected, it sends traffic to a legitimate site. Once the landing page to the phishing site is collected, the heavily obfuscated page adds another step to prevent more in-depth research.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.