A new phishing campaign abuses three corporate cloud services - the Microsoft Azure, Microsoft Dynamics and IBM Cloud - to steal credentials connection. This new phishing campaign is supposed to come from a Help Desk called “Servicedesk.com”, mimics the wording used by real IT helpdesk domains in corporate environments. The e-mail has the form of a notice Quarantined mail frequently sent to workplaces via email security products and spam filters (spam), asking the user to "release messages stuck in the queue".
The address (folder) "From:" listed in the email, is the “Noreply@servicedesk.com” and while the domains can easily be forged, the email headers for this phishing campaign indicate that the email was sent from this domain. The phishing email is sent from an intermediate domain Cn.trackhawk.pro, but the original domain is "servicedesk.com".
In most email spoofing scenarios, a mismatch between the email domain "From:" and the domain mentioned in the lower header “Download:”, is an indication of suspicious activity. In this campaign, the domain "servicedesk.com" is used at the address "From:" (folder) and corresponds to the domain mentioned in the last heading "Download:", making it easier to bypass spam filters.
These headers can indicate two scenarios:
- Either server of "servicedesk.com" were compromised and attackers send emails through them.
- Either the attackers send emails through the domain "cn.trackhawk.pro", but put the header "Download: from servicedesk.com…" at the bottom, to match the domain "From:" (folder), to show more convincing and reliable.
Additionally, the IP ping that states "Download: from servicedesk.com ([126.96.36.199])" returned timeouts, indicating that it is not live. IP "cn.trackhawk.pro" (188.8.131.52), however, responds correctly to pings, indicating that scenario # 2 is more likely. Still, the lack of validations DMARC, DKIM and SPF in the domain "servicedesk.com", allows spammers to take advantage of this domain, as shown in these attacks.
The abuse of corporate cloud services Microsoft Dynamics, Microsoft Azure and IBM Cloud for hosting phishing landing pages adds persuasiveness to the campaign. This is especially true because domains hosted on Azure (windows.net) or IBM Cloud automatically receive free SSL certificates containing the names of these companies, adding even more credibility.
Also, in phishing email there are buttons with the indication “RELEASE MESSAGES” or “CLEAN-UP CLOUD” which, when pressed by a user, they take him to a legitimate address URL Microsoft Dynamics 365. This URL then redirects the user to an IBM Cloud domain, the cf.appdomain.cloud, used for IBM Cloud Foundry deployments to host the phishing landing page. This landing page has been designed with some "degree of awareness" on the part of the attacker, as entering a "test" password that is too weak will display an error "wrong password".
Entering a password of appropriate length and complexity, if it meets the criteria set by IBM Cloud, will redirect the user to another fake page, confirming the settings update host in the Microsoft Azures hosting domain, windows.net. This malicious page eventually redirects the user to the site associated with their email address domain. In this case, the final destination will be Axxrma.com.
Phishing emails are becoming more and more common, targeting both email users and companies, and could have very negative consequences (eg theft). data, ransomware attacks). Phishing campaigns that abuse legitimate cloud infrastructure are on the rise as they add credibility to phishing attacks and provide free SSL certificates. The growing complexity of these attacks allows attackers to bypass spam filters and security products, increasing the need for advanced security systems in companies.