1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Hackers have found a clever new way to steal your Microsoft 365 c

    From TechnologyDaily@1337:1/100 to All on Fri Apr 1 16:15:04 2022
    Hackers have found a clever new way to steal your Microsoft 365 credentials

    Date:
    Fri, 01 Apr 2022 15:12:32 +0000

    Description:
    Checking links on phishing landing pages isn't what it used to be.

    FULL STORY ======================================================================

    Cybercriminals have started using Static Web Apps, an Azure service, in their phishing attacks against Microsoft 365 users.

    Researchers from MalwareHunterTeam noted Static Web Apps have two features that are being abused with ease - custom branding for web apps, and web hosting for static content such as HTML, CSS, JavaScript, or images.

    These features have been used by threat actors to host static landing
    phishing pages, the researchers are now saying. These landing pages look almost identical to official Microsoft services, with the company logo, and the Single SignOn (SSO) option that harvests Office 365, Outlook, or other credentials. TechRadar needs you!

    We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a 100 Amazon gift card (or equivalent in USD). Thank you for taking part.

    Click here to start the survey in a new window << Sneaky tactics

    Reporting on the findings, BleepingComputer says using Azure Static Web Apps to target Microsoft users is an excellent tactic, as each landing page gets its own secure page padlock in the address bar, due to the *.1.azurestticapps.net wildcard TLS certificate.

    With such a TLS certificate, even the most suspicious of victims could be tricked.

    It also makes the landing pages good for targeting users on other platforms and other email providers, as these victims could also be fooled by the fake security assurance of the legitimate Microsoft TLS certificate.

    Usually, when a person is suspecting a phishing attack, theyd check the URL theyre being invited to click. Using Azure Static Web Apps renders this
    advice useless, as many will most likely be fooled by the azurestticapps.net, and think the identity is legitimate, the publication concludes.

    What is phishing and how dangerous is it?



    LinkedIn is becoming a paradise for phishing attacks



    Phishing attacks hit more businesses than ever last year

    Azure Static Web Apps Microsofts tool that helps developers build and deploy full stack web apps to Azure, from a code repository.

    Its key features include web hosting for static content like HTML, CSS, JavaScript, and images, integrated API support provided by Azure Functions, GitHub and Azure DevOps integration, globally distributed static content, free, automatically renewed SSL certificates, custom domains to provide branded app customizations, and other.

    Microsoft is silent on the matter, for the time being. If you're looking to keep your devices secure, make sure to get one of the best endpoint
    protection services right now

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/hackers-have-found-a-clever-new-way-to-steal-yo ur-microsoft-365-credentials/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)