Phishing.web.core.windows.net

EvilGinx is a prime example of some of the amazing tools out there that came be used for Phishing. If you haven’t heard of it, EvilGinx was release a few years back and showed us a weak point in 2FA. For most back then, MFA was a sure way to thwart the bad guys and it make the system or user account “impenetrable”.

Below is an example of a lure site I setup and the theft of my 2FA cookie:

Although amazing, EvilGinx had the same flaw other Phishing attacks have… The domain used.
Just like with every Phishing attack, attackers can’t simply use the domain outlook.live.com, because they don’t own it. Microsoft do.

This drives them to buy near or similar domains in order to trick their victims. Here is a domain that came to mind and as you can see, its pretty cheap. It may not trick all, but having Windowslogin in the domain goes a long way.

Most security controls spot these nowadays however, so less are successful for enterprises with necessary security controls. It’s mainly people using their personal laptops who may not be aware of Phishing signs. None the less, having these controls block their domain can cause them headaches.

This may be why a large number of Phishers are using an official Windows domain. .web.core.windows.net is a domain used in Azure and can be applied to personal storage accounts.

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website

Phishers are setting up these static sites, using the official Windows domain and bypassing security controls. The reason being is that these security controls have to be careful when considering blocking a Windows.net domain as it’s owned by Microsoft. Instead, they most likely rely on reputation and users reporting as malicious. The problem is, when and before it’s blocked or taken down, you could have fell victim.

https://www.zscaler.com/blogs/research/abusing-microsofts-azure-domains-host-phishing-attacks

Just to make life harder for us, these sites also have a Microsoft issued certificate and IP addresses.

Having these factors really does increase the chance their attacks bypassing email security controls.

Although most will be taken down swiftly once reported, another one will surely be span-up in it’s place. The only true prevention is to be aware of them and to pass on the knowledge (hence this article).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s