Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonates various services appearing to be legitimately created on the “azurefd.net” domain – This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts. Notably, most phishing resources were designed to target SendGrid, Docusign and Amazon customers, along with several other major Japanese and Middle East online-service providers and corporations. According to experts, such tactics confirm how the bad actors are continuously looking to enhance their tactics and procedures to avoid phishing detection using world-known cloud services.
The threat actors are leveraging compromised business and personal e-mail accounts to deliver spam containing phishing links to fake WEB-resources hosted on Azure Front Door, as such domains are typically whitelisted or treated as legitimate by the end user. One of the typical phishing page scenarios observed in a recent campaign – a fake billing notification sent on behalf of SendGrid, a Colorado-based customer communication platform for transactional and marketing email.
The original phishing e-mails have been retained and observed by Security Affairs. Based on the analyzed templates, the attackers are likely using an automated way to generate their phishing letters, by doing so they’re able to scale their campaigns to ultimately target a broader number of customers globally, which has previously been observed in spam strains delivered with Emotet and Oakbot.
It’s worth noting, the observed de-obfuscated source codes of the phishing scenarios contained the signatures “STRAT Check” and references to WHOIS-protected domains registered in “.click” and “.xyz” domain zones to collect compromised credentials.
Cybersecurity researchers from Resecurity identified multiple domains used in the new wave of phishing attacks dating back to the beginning of June - some of which are obviously hard to differentiate from legitimate correspondence due to their naming and reference to Azure Front Door, what only adds more complexity for defenders:
Based on the analysis performed on services such as URLSCAN, some instances of this campaign began around the month of March 2022 and were focused primarily on Japan and hosted on Kagoya VPS resources.
The scenarios acting as C2 scripts for intercepted credentials collection were also hosted on various hacked WEB-resources, leveraging domains having similar spelling to names of existing corporations. Such domains were used to impersonate several large enterprises in the Middle East and other countries what may confirm the campaign could have been targeted and had certain motives besides financial.
In one of the phishing episodes, the threat actors impersonated the large business conglomerate Al-Futtaim Group from UAE which was founded in 1930 with over 44,000 employees. The host was created in March 2022 and was used to collect intercepted credentials leveraging spelling with just 1 letter different from the legitimate and official name of Al-Futtaim Group domain name (“alfuttairn[.]com” VS “alfuttaim[.]com”).
The identified malicious domain names and additional intelligence have been reported by Resecurity to Microsoft Security Response Center (MSRC) to minimize possible risk and damages from this activity.
Similar campaigns have been identified by the MalwareHunterTeam (MHT) in November 2021, when Azure Front Door Service (AFD) was used to host phishing content targeting academia and the UK Government employees.
According to experts such tactics could be leveraged by both sophisticated threat actors and APT groups, as well as cybercriminals to avoid being detected conducting phishing, business e-mail compromise (BEC), and Email Account Compromise (EAC) campaigns.
In 2021, the FBI's Internet Crime Complaint Center (IC3) received reports of BEC scams in all 50 states and 177 countries. In a March 2022 report, the IC3 said it received close to 20,000 BEC complaints last year, with an estimated adjusted losses of roughly $2.4 billion.
The total BEC/EAC statistics reported to the FBI IC3, law enforcement and derived from filings with financial institutions between June 2016 and December 2021 exceeds 43$ billion.