An evolving credential phishing campaign targets Microsoft Office 365 credentials, leveraging thousands of URLs hosted on domains registered via a “bulletproof” registrar and protected by Cloudflare services. The activity is linked to the defunct Phishing-as-a-Service operation “Caffeine” and threat actor MRxC0DER, with shifting patterns that complicate tracking. #Caffeine #MRxC0DER
Keypoints
- Over 120 unique phishing domains created using the “bulletproof” registrar R01-RU, hosting thousands of phishing URLs.
- Abuse of Cloudflare CAPTCHA and IP proxying services to aid efficacy and anti-analysis.
- Phishing services attributed to the defunct Phishing-as-a-Service operation “Caffeine,” associated with MRxC0DER and an API for email validation.
- Emails use embedded links (often open redirects) to redirect targets to credential harvesting pages.
- Credential harvesting pages prompt for email, then password, following observable URL patterns.
- Patterns in domain and URL usage have evolved, with a notable change around April 2023 and varying activity levels through 2023.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – An embedded link (usually an open redirect) redirects the user to the credential harvesting page. Quote: ‘The emails within this activity set are designed simply, using an embedded link (usually an open redirect) to redirect the user to the credential harvesting page.’
- [T1583.001] Acquire Infrastructure: Domains – ‘Over 120 unique phishing domains created using the “bulletproof” registrar R01-RU, hosting thousands of phishing URLs.’
- [T1090] Proxy – ‘IP proxying services allow the threat actor to hide the domain’s original hosting provider to slow down the takedown process.’
- [T1562.001] Impair Defenses – ‘CAPTCHA services ensure that phishing content cannot be investigated by automated security services.’
Indicators of Compromise
- [Domain] Credential phishing domains – netsn.ru, caffeines.store, and 2 more domains