Phishing attacks which use Microsoft's Azure Blob Storage for hosting their landing pages to take advantage of windows.net subdomains' valid Microsoft SSL certificates can easily be blocked using custom Office 365 rules.
As BleepingComputer previously reported in February, there have been a number of ongoing phishing campaigns which abuse Microsoft's Azure Blob Storage to target Office 365 users, at times using landing pages and login forms that look almost exactly like official Microsoft pages.
The fact that they're utilizing Azure Blob Storage to host their credential phishing landing pages (targeting Outlook and Microsoft accounts), makes these phishing campaigns a lot more dangerous.
This happens because the URL shown in the address bar would look very similar to https://1drive6e1lj8tcmteh5m.z6.web.core.windows[.]net, with the web.core.windows.net part always being present, making the attack look legitimate in the eyes of most potential victims.
Using Microsoft's Azure Blob Storage platform to target Microsoft and Outlook users is the perfect ruse given that each of the landing pages employed in the campaign will automatically get their own secure page padlock in the address bar because of the *.blob.core.windows.net wildcard SSL certificate.
This way even suspicious targets might get tricked in the end after clicking on the certificate and seeing that it is indeed issued by Microsoft IT TLS CA 5 to *.blob.core.windows.net, validating the phishing landing page as an official Microsoft login form in the eyes of many potential victims.
Creating custom Office 365 block rules
While this issue has been previously reported to Microsoft in the past, as MinervaLabs' malware researcher Omri Segev Moyal said these phishing messages will be blocked by Microsoft Office365 premium security service 'Office 365 ATP Safe Links' but will "not do anything to take them down."
However, the researcher says that Office 365 users who want to have this type of phishing attack automatically blocked, can create their own custom rules.
Moyal provides a detailed procedure on how to create Office 365 rules designed to block phishing attacks which employ convincing landing pages that make use Azure Blob Storage to appear legitimate:
- Browse to Office365 Exchange Admin Center.
- Go to Mail Flow —> Rules then click on the ‘+’ sign and create a new rule.
- At the New Rule section do as described in the image below.
You can also add rules designed to alert Office 365 users that the e-mails they receive contain links to windows.net domains which might be a sign of a potential phishing e-mail.
To do that you just have to repeat all the steps described above for creating a new Office 365 rule and, at the last step, you have to customize the rule as shown in the screenshot below:
While the standard advice for users who want to detect when they're the target of a phishing attack is to look closely at the URL of any login form they are asked to fill in, the phishing campaigns that employ Azure Blob Storage makes this piece of advice almost worthless.
The only way to be sure that attackers aren't trying to collect your Microsoft or Outlook.com credentials is to remember that the official login forms will be hosted by Microsoft using microsoft.com, live.com, or outlook.com domains.
Comments
redalertfiend - 4 years ago
Good article. Thanks for the info
InfoSecRS - 4 years ago
I played around with setting up a rule to identify any links to .blob.core.windows.net and onedrive.live.com/survey and forms.office.com that originated outside our organization. All of this seems like a great idea and I have used the Transport Rule methodology for catching many phishing emails in the past but .. .within a few minutes I found that there were several companies that were emailing us that had their logos stored in an Azure Blob and that, unfortunately, the use of a rule like this would be very very noisy with lots of false positives.