Disclaimer - Curated Intelligence is a private trust group and members are able to publish their research under our banner without it being attributed to them. We thank our members for their contribution.
Members of Curated Intelligence have recently tracked a new global credential harvesting campaign targeting Microsoft accounts. This latest wave of phishing attacks masquerade as ‘shared document’ notification emails which deliver an embedded URL. If clicked, it leads to a fake Adobe Document Cloud application login page to harvest credentials for Outlook and Office 365.
Many countries were targeted in this campaign; however, the US and the UK have seen most of the targeting, followed by the Netherlands. Other targets possibly include Germany, France, Sweden, Portugal, Spain, Italy, India, Australia, Belgium, Slovenia, Poland, Chile, Norway, Romania, Canada, Turkey, Singapore, Japan, and Hong Kong.
The campaign is believed to have been delivered via a range of phishing emails that have varied in content depending on the target. Some emails requested that the user visit a landing page to view an “encrypted”, “scanned”, or “faxed” document (see Fig. 1). These initial links commonly used the Cloudflare content delivery network (CDN) workers[.]dev to evade anti-phishing detection systems.
Fig. 1 – Example of a Phishing email template sent in this campaign
Throughout this campaign, Curated Intel analysts identified that part of the infrastructure was deliberately tailored to its targets. This shows the threat actors had likely researched their targets before conducting launching phishing emails against specific targets from a predetermined list.
The embedded URL in the phishing emails redirect users to a convincing web application, often delivered via another third-party CDN. The application was designed to trick the user into thinking they were logging in to the Adobe Document Cloud application. However, it collects and exfiltrates any login credentials entered by the user before redirecting them to the genuine ‘login.microsoftonline.com’ URL.
Fig. 2 – Credential stealing Adobe Document Cloud-themed landing page
What was notable about this campaign to Curated Intelligence analysts was that it had largely reused the same infrastructure for redirection links and to host landing pages. This includes “share[.]sender[.]net”, “worker[.]dev”, and “erpnext[.]com” hostnames. Over the course of a six-month period, Curated Intelligence analysts observed up to 134 unique URLs. There are almost certainly many more URLs related to this campaign, that were not identified by Curated Intelligence.
There was one common artefact about this campaign that enabled Curated Intelligence analysts to track this wave of attacks: the Firebase site “runn1rnl8xzmqeh0kvov[.]web[.]app” that was used for data exfiltration. This Google Firebase site was present in all the fake Adobe Document Cloud landing pages. Curated Intelligence reported the main Google Firebase site, along with our research, to the UK’s National Cyber Security Centre (NCSC) for enforcement action.
This campaign was traced back to at least August 2021 and has targeted organisations from a variety of industry verticals. The graphs below (see Fig. 3 and Fig. 4) show distribution of phishing targets based on industry vertical and by country the organisation is based.
Fig. 3 – Phishing targets per industry vertical
Fig. 4 – Phishing targets per country
The threat actor behind the attacks must have had access to considerable resources due to the sheer breadth of the infrastructure used and the effort taken to stand it up. It is believed that the threat actor behind the campaign is a cybercriminal group aimed at business email compromise (BEC) for financial gain. The size of the infrastructure used in this campaign, however, does show considerable effort and resource.
Curated Intelligence analysts also identified that many of the organisations targeted in this campaign were small to medium upstream suppliers to critical national infrastructure. If compromised successfully, these could potentially be used by these threat actors as a foothold from which more significant organizations may be targeted.
Indicators of Compromise (IOCs)
Data Exfiltration site:
Abused Legitimate Services: