Keypoints
- Threat actors host phishing documents on legitimate DDP sites to increase trust and bypass web/email filters.
- Typical delivery: bulk BCC phishing email → DDP-hosted flipbook with a link → redirects (sometimes via Google AMP/Cloudflare CAPTCHA) → spoofed auth page to capture credentials/session tokens.
- DDP pages and landing pages are customized (HTML Title, page visuals) to improve authenticity and click-through rates.
- Adversaries rapidly create and remove DDP pages (link expiration, short-lived pages) and sometimes use DNS fast-flux or domain churn for the final landing sites.
- Observed phishing lures targeted Microsoft 365 authentication flows, using encoded OAuth-style parameters to capture tokens or codes.
- Examples of malicious domains include aerospace-atlas[.]online, atlas-aerspace[.]online, and numerous `.top` domains used as redirectors/landing pages.
- Defender actions recommended: block or monitor DDP sites, alert on DDP URLs in email, use TI to detect new domains, and update user training to include DDP-based phishing.
MITRE Techniques
- [T1566] Phishing – Use of email and malicious document links to collect credentials: ‘The victim receives an email containing a link to a document hosted on a legitimate DDP site.’
- [T1568.001] DNS Fast Flux – Rapidly changing or removing landing pages to evade takedown and detection: ‘the final landing page on the adversary-controlled domain was removed through DNS fast fluxing or another mechanism.’
Indicators of Compromise
- [Domains] adversary-controlled landing and redirect domains – aerospace-atlas[.]online, atlas-aerspace[.]online, and other related Cloudflare-hosted domains.
- [.top domains] unique redirect/landing domains used in credential harvests – mvnwsenterprise[.]top (example path: mvnwsenterprise[.]top:443/aadcdn.msauth.net/), onedrivesmncs[.]top, onedrivemwsamc[.]top.
- [DDP-hosted URLs] DDP flipbook patterns used as initial lure – https://publuu[.]com/flip-book/[6_digit_identifier]/[6_digit_identifier], and similar Issuu/FlipSnack links.
- [URL query strings] encoded OAuth/ref parameters used to ferry victims to spoofed auth flows – presence of query string ‘tkmilric’ and Base64/URL-encoded “ref” values in redirect URLs.
Threat actors follow a repeatable technical sequence: craft a phishing email (often BCCing many recipients) that links to a DDP-hosted flipbook; the flipbook contains one or more hyperlinks that redirect the user—sometimes through Google AMP and a Cloudflare CAPTCHA—onto an adversary-controlled domain hosting a near-exact replica of a legitimate authentication page (commonly Microsoft 365). The landing pages frequently include long identifier strings and encoded parameters (e.g., Base64/URL-encoded “ref” values that map to OAuth authorization flows), enabling capture of credentials or session tokens during the sign-in process.
Attackers exploit DDP platform features to improve lure credibility: customizing the HTML Title and page visuals, using free/trial accounts to publish ephemeral pages, and setting link expiration so pages auto-delete. The final-stage infrastructure is often transient or churned (unique domains per campaign and DNS fast-flux techniques), complicating detection and incident response because defenders have limited time to capture full indicators and trace redirect chains.
Forensic examination of incidents revealed common technical artifacts: DDP flipbook URL patterns (Publuu, Issuu, FlipSnack), redirect chains that include Cloudflare CAPTCHA or Google AMP intermediaries, landing domains using `.online` or `.top` TLDs, and encoded OAuth-style query strings referencing Microsoft application IDs (e.g., 00000002-0000-0ff1-ce00-000000000000) which indicate attempts to abuse OAuth flows to obtain tokens. Responders should capture full redirect traces, save DDP page snapshots quickly, extract encoded parameters for decoding, and block or monitor identified domains and DDP hosting providers as part of containment.
Read more: https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/