Threat Research

How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page? – ASEC BLOG

Securonix

Researchers analyzed a sophisticated fake Microsoft account login phishing page used to harvest credentials. The page mirrors Microsoft’s login and uses encryption, anti-snooping measures, and script obfuscation to evade detection. #MicrosoftAccount #FakeMS #CryptoJS #AES #Office365 #AhnLab

Keypoints

  • Phishing pages impersonating Microsoft accounts are distributed via attachments in emails or embedded as links, aiming to steal login credentials.
  • The fake login pages mimic the real Microsoft interface so closely that users may struggle to distinguish them from legitimate pages.
  • Some phishing pages include a reCAPTCHA verification step to increase user trust and reduce suspicion.
  • Phishing scripts load CryptoJS from a CDN to decrypt AES-encoded strings and dynamically render the page content, complicating automated detection.
  • The scripts actively disable features like right-click and keyboard shortcuts to prevent viewing or inspecting the page source.
  • After a password is entered, credentials are sent to the attacker’s server, and users are redirected to the real Office365 page.
  • AhnLab detected and catalogued several phishing HTML files and provided IOCs to help block these attacks; the phishing emails were distributed globally.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – “Fake Microsoft login pages like the one above were distributed via attachments in emails.”
  • [T1566.002] Phishing: Spearphishing Link – “phishing pages to lead users to log in to their Microsoft account, and these pages are made into HTML or HTM script files which are then attached to emails or embedded as a link in the body of the email.”
  • [T1027] Obfuscated/Compressed Files and Information – “CryptoJS was used to decrypt the AES-encoded strings, and at the document.write(decrypted.toString(CryptoJS.enc.Utf8)); stage, the phishing page script code was loaded.”
  • [T1562.001] Impair Defenses: Disable or Modify Tools – “There is a code that deactivates all events such as the right-click event and the keyboard Ctrl+S input event.”
  • [T1041] Exfiltration – “After the password is entered and sent to the threat actor’s server, the page is redirected to the real Microsoft Office365 page.”

Indicators of Compromise

  • [File Hash] Phishing HTML file detections – 4ba7fe8ad00623bf28b943272aa07de9
  • [File Hash] Phishing HTML file detections – fbe4c854b285693895d30afa72a9c004
  • [URL] Phishing infrastructure – https://toolzcontructed.com/o3651.php
  • [URL] External script hosting – https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
  • [URL] Phishing page assets – https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg

Read more: https://asec.ahnlab.com/en/43821/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint