Threat Research

Cybercriminals Use Azure Front Door in Phishing Attacks

Securonix

Phishing content is increasingly delivered via Azure Front Door, with attackers using lookalike domains to harvest credentials from multiple major services. They rely on compromised email accounts to spread targeted phishing, impersonating brands like SendGrid, Docusign, Amazon, and even Al-Futtaim Group. #AzureFrontDoor #SendGrid #Docusign #AlFuttaimGroup #Emotet

Keypoints

  • Phishing campaigns are delivered through Azure Front Door by using domains that resemble legitimate services and brands.
  • Attackers leverage compromised business and personal email accounts to distribute phishing emails with links to fake resources.
  • Phishing pages impersonate services such as SendGrid, Docusign, and Amazon, including fake billing notifications.
  • Phishing infrastructure includes lookalike domains and WHOIS-protected domains in .click and .xyz zones to collect credentials.
  • The campaigns appear scalable and automated, enabling broader global targeting similar to past Emotet/Oakbot spam waves.
  • Notable impersonations included the Al-Futtaim Group (UAE), using near-mmisspellings like alfuttairn.com vs alfuttaim.com to harvest credentials.
  • Observed statistics and past reports underscore the financial and organizational risk of BEC/EAC campaigns tied to phishing using cloud services.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Link – ‘phishing links to fake WEB-resources hosted on Azure Front Door’
  • [T1078] Valid Accounts – ‘leveraging compromised business and personal e-mail accounts to deliver spam containing phishing links’
  • [T1583.001] Acquire Infrastructure – Domains – ‘domains having similar spelling to names of existing corporations’
  • [T1071.001] Web Protocols – ‘scenarios acting as C2 scripts for intercepted credentials collection … hosted on various hacked WEB-resources’
  • [T1041] Exfiltration Over C2 Channel – ‘HTTP Post Request to Transmit Compromised Credentials’

Indicators of Compromise

  • [Domain] gridapisignout.azurefd.net – phishing-hosting domain used in Azure Front Door campaign
  • [Domain] amazon-uk.azurefd.net – phishing-hosting domain used in Azure Front Door campaign
  • [Domain] webmailsign.azurefd.net – phishing-hosting domain used in Azure Front Door campaign
  • [Domain] onlinesigninlogin.azurefd.net – phishing-hosting domain used in Azure Front Door campaign
  • [Domain] owasapisloh.azurefd.net – phishing-hosting domain used in Azure Front Door campaign
  • [Domain] docuslgn-micros0ft983-0873878383.azurefd.net – phishing-hosting domain used in Azure Front Door campaign
  • [Domain] alfuttairn.com – mis-spelled impersonation domain used to spoof Al-Futtaim Group

Read more: https://resecurity.com/blog/article/cybercriminals-use-azure-front-door-in-phishing-attacks