Keypoints
- Phishing emails contained links to a DRACOON.team shared PDF that embedded a second link to an attacker-controlled server.
- The attacker server hosted a fake Microsoft 365 login page that functioned as a reverse proxy to capture credentials and session cookies.
- Captured credentials were observed being used to log into Microsoft 365, access mailboxes, and send additional phishing emails from compromised accounts.
- The malicious login page referenced an obfuscated JavaScript file (myscr759609.js) which, when deobfuscated, revealed credential-harvesting and POST exfiltration routines.
- Use of a legitimate file-sharing service allowed the attack to bypass some email/security filters and avoid writing artifacts to disk by using the in-browser PDF viewer.
- Investigation correlated Microsoft 365 sign-in and MFA logs with Vision One telemetry to identify affected accounts and a reverse proxy IP (212.83.170.137).
MITRE Techniques
- [T1566.001] Spearphishing Link – The campaign used links to a DRACOON-hosted PDF that led victims to an attacker-controlled login page (‘…link to DRACOON.team… presented with a PDF document hosted on DRACOON… contains a secondary link that directs the victim to an attacker-controlled server…’).
- [T1557] Adversary-in-the-Middle – The attacker-operated reverse proxy relayed genuine Microsoft 365 requests while capturing credentials and session cookies (‘…acts as a reverse proxy to steal victims’ login information and session cookies.’).
- [T1027] Obfuscated Files or Information – The malicious JavaScript (myscr759609.js) was obfuscated and required deobfuscation to reveal credential-harvesting logic (‘myscr759609.js … deobfuscated, revealing the HTML code… responsible for credential harvesting…’).
- [T1041] Exfiltration Over Command and Control Channel – Harvested credentials and session data were logged and uploaded via HTTP POST to an undisclosed endpoint (‘…logging these credentials, and subsequently uploading the gathered information to an undisclosed webpage via a POST request.’).
- [T1078] Valid Accounts – Stolen credentials were reused to authenticate to Microsoft 365, access mailboxes, and send further phishing messages (‘We immediately observed logon activity using victim credentials via Microsoft 365… automated access to the victim’s mailbox and further distribution of initial phishing emails.’).
- [T1193] Drive-by Compromise – Hosting the malicious link inside an in-browser PDF viewer allowed interaction without downloading files to disk, reducing local traces and evading some security controls (‘The user can interact directly with the PDF file without the need to download it, reducing the traceable evidence stored on the disk.’).
Indicators of Compromise
- [Domain/URL] DRACOON hosted PDF – dracoon[.]team/public/download-shares/RjqetKkzebun7rB6OWWI3kPcpZ3RruPA (malicious PDF linking to attacker infrastructure)
- [IP Address] Attacker reverse proxy – 212.83.170.137 (observed in Microsoft 365 sign-in events as the proxy location)
- [Filename/Script] Malicious JS and detection – myscr759609.js (deobfuscated to reveal credential-harvesting logic; detected as Trojan.HTML.PHISH.QURAAOOITB)
- [URLs] Additional DRACOON links – multiple publicly shared Dracoon URLs impersonating Microsoft 365 (several other links observed in campaign)
Threat actors initiated the attack by sending a phishing email that linked to a publicly shared PDF on DRACOON.team. The PDF contained a secondary link pointing to an attacker-controlled server which presented a genuine-looking Microsoft 365 login page. This server functioned as a reverse proxy (EvilProxy-style), relaying real Microsoft authentication flows while intercepting entered credentials and session cookies.
Analysis of the fake login page revealed a heavily obfuscated JavaScript file named myscr759609.js; once deobfuscated (for example, via Node.js execution), the script’s HTML and logic showed explicit credential harvesting, local logging, and exfiltration via HTTP POST to an undisclosed endpoint. Post-compromise activity included immediate use of stolen credentials to authenticate to Microsoft 365, access victim mailboxes, and send further phishing messages to the victim’s contacts, enabling rapid lateral propagation.
Detection and response relied on correlating Microsoft 365 sign-in and MFA logs with Vision One telemetry to identify sign-in events from the reverse proxy IP (212.83.170.137), timestamps matching user interaction with the PDF/login page, and the presence of the myscr759609.js script on the attacker page. Remediation focused on disabling compromised accounts, forcing password resets, and monitoring for further sign-ins from the identified proxy IPs and related DRACOON-hosted links.