New Phishing Campaign Targeting Enterprise Cloud Services

New Phishing Campaign Targeting Enterprise Cloud Services

A new phishing campaign masquerading as helpdesk software has been spotted to try to steal login credentials for enterprise cloud services, including Microsoft Azure, Microsoft Dynamics, and IBM Cloud. nature. As reported by BleepingComputer, the messages from the phishing campaign were recently scrutinized by the media to discover that they use terms similar to real IT help desks while pretending to be from a site called “servicedesk.com.” The emails used in the campaign mimic a "mail quarantine" notification, which is sent by security products and spam filters, asking the recipient to "release" messages that are blocked in the queue.. Although the address in the mail email makes it look like the message is coming from "[email protected]", the attackers actually sent their phishing messages via "cn.trackhawk.pro" which served as the intermediate domain. To more easily bypass email filters, the service desk domain is used in both the header and in the received for phishing campaign emails.This means that the attackers have compromised servicedesk.com's mail servers or injected the text "Received: servicedesk.com form" into the header to appear more believable.

Business cloud services

The cybercriminals behind this new phishing campaign used IBM Cloud Hosting, Microsoft Azure, and Microsoft Dynamics to host their landing pages and make them more legitimate. In addition, domains hosted in the Azure or IBM cloud also get free SSL certificates containing the names of these companies, which also helps to improve the legitimacy of the campaign. After opening one of these phishing emails, a user will see two buttons labeled "RELEASE MESSAGES" and "CLEAN CLOUD." When a user clicks one of these buttons, she will take them to a legitimate Microsoft Dynamics 365 URL. This URL then redirects them to an IBM Cloud domain that is used to host the phishing landing page. If a user enters a weak password, the landing page will give them a "bad password". Mistake. However, entering a long and complex password redirects the user to another fake page confirming the configuration update host on the Azure hosting domain, windows.net. This malicious page then redirects the user to a website called "axsharma.com". This new phishing campaign is particularly dangerous because once a user gives up their corporate cloud credentials, an attacker can gain access to their organization's corporate network. Via BleepingComputer