Cybercriminals Use Azure Front Door in Phishing Attacks

Experts identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft.

Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft.

The identified resources in one of the malicious campaigns impersonate various services appearing to be legitimately created on the “azurefd.net” domain – This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts. Notably, most phishing resources were designed to target SendGrid, Docusign and Amazon customers, along with several other major Japanese and Middle East online service providers and corporations. According to experts, such tactics confirm how the bad actors are continuously looking to enhance their tactics and procedures to avoid phishing detection using world-known cloud services.  

Pic. 1 – Example of Phishing Page Delivered by Azure Front Door (AFD)

The threat actors are leveraging compromised business and personal e-mail accounts to deliver spam containing phishing links to fake WEB-resources hosted on Azure Front Door, as such domains are typically whitelisted or treated as legitimate by the end user. One of the typical phishing page scenarios observed in a recent campaign – a fake billing notification sent on behalf of SendGrid, a Colorado-based customer communication platform for transactional and marketing email.

Pic. 2 – Cybercriminals leverage compromised e-mail accounts of
Japanese companies and online-services to deliver phishing

The original phishing e-mails have been retained and observed by Security Affairs. Based on the analyzed templates, the attackers are likely using an automated way to generate their phishing letters, by doing so they’re able to scale their campaigns to ultimately target a broader number of customers globally, which has previously been observed in spam strains delivered with Emotet and Oakbot.

It’s worth noting, the observed de-obfuscated source codes of the phishing scenarios contained the signatures “STRAT Check” and references to WHOIS-protected domains registered in “.click” and “.xyz” domain zones to collect compromised credentials.

Cybersecurity researchers from Resecurity identified multiple domains used in the new wave of phishing attacks dating back to the beginning of June – some of which are obviously hard to differentiate from legitimate correspondence due to their naming and reference to Azure Front Door, which only adds more complexity for defenders:

– gridapisignout[.]azurefd[.]net
– amazon-uk[.]azurefd[.]net

– webmailsign[.]azurefd[.]net
– onlinesigninlogin[.]azurefd[.]net
– owasapisloh[.]azurefd[.]net
– docuslgn-micros0ft983-0873878383[.]azurefd.net

Based on the analysis performed on services such as URLSCAN, some instances of this campaign began around the month of March 2022 and were focused primarily on Japan and hosted on Kagoya VPS resources. 

The scenarios acting as C2 scripts for intercepted credentials collection were also hosted on various hacked WEB-resources, leveraging domains having similar spelling to the names of existing corporations. Such domains were used to impersonate several large enterprises in the Middle East and other countries what may confirm the campaign could have been targeted and had certain motives besides financial.

Pic 3. – Example of a phishing template designed
to compromise e-mail accounts using Adobe branding

In one of the phishing episodes, the threat actors impersonated the large business conglomerate Al-Futtaim Group from UAE which was founded in 1930 with over 44,000 employees. The host was created in March 2022 and was used to collect intercepted credentials leveraging spelling with just 1 letter different from the legitimate and official name of Al-Futtaim Group domain name (“alfuttairn[.]com” VS “alfuttaim[.]com”).

Pic 4. – Example of HTTP Post Request to Transmit Compromised Credentials in the Result of Successful Phishing Attack

Pic.5 – Phishing template with fake authorization targeting Office 365 customers

Pic.6 – Phishing template targeting Amazon customers

Pic.7 – Scenario to intercept credit card data with CVV Number (“Card Verification Value”)

The identified malicious domain names and additional intelligence have been reported by Resecurity to Microsoft Security Response Center (MSRC) to minimize possible risk and damages from this activity. All of the identified malicious resources have been successfully and timely terminated.  

Similar campaigns have been identified by the MalwareHunterTeam (MHT) in November 2021, when Azure Front Door Service (AFD) was used to host phishing content targeting academia and the UK Government employees.

According to experts such tactics could be leveraged by both sophisticated threat actors and APT groups, as well as cybercriminals to avoid being detected conducting phishing, business e-mail compromise (BEC), and Email Account Compromise (EAC) campaigns.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received reports of BEC scams in all 50 states and 177 countries. In a March 2022 report, the IC3 said it received close to 20,000 BEC complaints last year, with estimated adjusted losses of roughly $2.4 billion.

The total BEC/EAC statistics reported to the FBI IC3, law enforcement and derived from filings with financial institutions between June 2016 and December 2021 exceeds 43$ billion.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Azure Front Door)

The post Cybercriminals Use Azure Front Door in Phishing Attacks appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt