Huntress uncovered a mass phishing operation that combines HTML smuggling, injected iframes, and session theft via a transparent proxy to bypass MFA when victims log into a proxied Outlook login portal. This novel tradecraft could enable attackers to steal credentials and impersonate users, with takedown actions underway for identified infrastructure. #HTMLSmuggling #AdversaryInTheMiddle #Outlook #MFABypass #Huntress
Keypoints
- Discovery of HTML smuggling payloads that render a proxied Outlook login portal via a locally stored HTML file.
- The attack uses an injected iframe that loads a login page from attacker-controlled infrastructure, enabling session theft via a transparent proxy.
- Victims’ MFA could be bypassed if they log into the proxied portal, enabling attacker login as the victim.
- Three suspicious domains (rnsnno.szyby.pro, rnsnno.kycmaxcapital.pro, rnsnno.2398-ns.pro) were linked to the activity and registered through NameCheap.
- An HTML payload hash (SHA-256) and multiple related domains were identified, with additional infrastructure inferred from VirusTotal relations.
- Defensive guidance emphasizes caution with HTML files, URL verification, and reporting sightings to Huntress for coordinated takedowns.
MITRE Techniques
- [T1027] HTML Smuggling – ‘Adversaries are using HTML smuggling to present a proxied login portal to victims.’
- [T1539] Steal Web Session Cookie – ‘Adversaries are injecting iframe rendered login portals that route authentications through transparent proxies to steal sessions.’
- [T1090] Proxy – ‘This iframe is proxying the login traffic through attacker controlled infrastructure.’
Indicators of Compromise
- [Hash] HTML Smuggling Payload hash – 18470571777CA2628747C4F39C8DA39CA81D1686820B3927160560455A603E49
- [Domain] AitM/Phishing Infrastructure – rnsnno.2398-ns.pro, rnsnno.kycmaxcapital.pro, and rnsnno.szyby.pro
- [Domain] Additional Domains – outlook.office365.com, aadcdn.msftauth.net, aadcdn.msauth.net, aadcdn.msftauthimages.net