Originally discovered by the team at Heimdal Security, a new phishing campaign has been developed and used to deceive Office365 users and even users with just a Microsoft account. The phishing pages have been designed to look like the legitimate landing pages for Office365 and OneDrive. The scammers are using compromised accounts to pass off messages like “Here is the intelligence report we discussed…” or “Here is your invoice.” Typically, these emails are pertaining to an older conversation that the receiver was involved in but could create a sense of urgency due to the nature of the provided information. An attachment is included in the message that, if clicked on, will redirect to the real-looking OneDrive and Office365 pages. So far, there have been two domains that have been linked to the campaign. The first domain is “iradistribution[.]sofiatsola[.]com,” and its IP address is 188.8.131.52. It has not yet been recognized as malicious by VirusTotal. The site was originally created 15 years ago, with the most recent modifications being made around five months ago. The fact that the domains were registered for 15 years more likely indicates that the attackers took over an “aged” domain to avoid security controls that automatically block newly registered domains. The second domain is “markaldriedgehomes[.]com with IP addresses 184.108.40.206 and 220.127.116.11. The admin’s email address is dc75a9c3ee070d94s@YAHOO.COM.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased