Office 365 Custom Rules to Block Azure Blob Storage Phishing Attacks

Phishing attacks which use Microsoft's Azure Blob Storage for hosting their landing pages to take advantage of windows.net subdomains' valid Microsoft SSL certificates can easily be blocked using custom Office 365 rules.

As BleepingComputer previously reported in February, there have been a number of ongoing phishing campaigns which abuse Microsoft's Azure Blob Storage to target Office 365 users, at times using landing pages and login forms that look almost exactly like official Microsoft pages.

The fact that they're utilizing Azure Blob Storage to host their credential phishing landing pages (targeting Outlook and Microsoft accounts), makes these phishing campaigns a lot more dangerous.

This happens because the URL shown in the address bar would look very similar to https://1drive6e1lj8tcmteh5m.z6.web.core.windows[.]net, with the web.core.windows.net part always being present, making the attack look legitimate in the eyes of most potential victims.

Microsoft account phishing landing page
Microsoft account phishing landing page

Using Microsoft's Azure Blob Storage platform to target Microsoft and Outlook users is the perfect ruse given that each of the landing pages employed in the campaign will automatically get their own secure page padlock in the address bar because of the *.blob.core.windows.net wildcard SSL certificate.

This way even suspicious targets might get tricked in the end after clicking on the certificate and seeing that it is indeed issued by Microsoft IT TLS CA 5 to *.blob.core.windows.net, validating the phishing landing page as an official Microsoft login form in the eyes of many potential victims.

Creating custom Office 365 block rules

While this issue has been previously reported to Microsoft in the past, as MinervaLabs' malware researcher Omri Segev Moyal said these phishing messages will be blocked by Microsoft Office365 premium security service 'Office 365 ATP Safe Links' but will "not do anything to take them down."

However, the researcher says that Office 365 users who want to have this type of phishing attack automatically blocked, can create their own custom rules.

Moyal provides a detailed procedure on how to create Office 365 rules designed to block phishing attacks which employ convincing landing pages that make use Azure Blob Storage to appear legitimate:‏ 

  • Browse to Office365 Exchange Admin Center.
  • Go to Mail Flow —> Rules then click on the ‘+’ sign and create a new rule.
  • At the New Rule section do as described in the image below.

Spoof protection rules

You can also add rules designed to alert Office 365 users that the e-mails they receive contain links to windows.net domains which might be a sign of a potential phishing e-mail.

To do that you just have to repeat all the steps described above for creating a new Office 365 rule and, at the last step, you have to customize the rule as shown in the screenshot below:

windows.net alert

While the standard advice for users who want to detect when they're the target of a phishing attack is to look closely at the URL of any login form they are asked to fill in, the phishing campaigns that employ Azure Blob Storage makes this piece of advice almost worthless.

The only way to be sure that attackers aren't trying to collect your Microsoft or Outlook.com credentials is to remember that the official login forms will be hosted by Microsoft using microsoft.com, live.com, or outlook.com domains.

Related Articles:

Diagram better — Microsoft Visio Pro 2021 is $25 through April 2nd

New Darcula phishing service targets iPhone users via iMessage

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Windows 10 KB5035941 update released with lock screen widgets

Train to be a Microsoft-certified tech expert with 11 courses for $69.97