Cybercriminals are actively spoofing Microsoft and Adobe authorization systems

Cybersecurity specialists from the company Vade discovered a new phishing campaign in which attackers spoof the authentication system Microsoft 365 and Adobe document cloud. The purpose of the attack is to steal user credentials from these services.

Fake Microsoft and Adobe Authorization Fields

According to Vade researchers, attackers send emails with malicious HTML-file attached. This file contains JavaScript– code that collects the recipient’s email address and modifies the page using the data from the callback variable.

When analyzing the malicious domain used by the hackers, the experts decoded the base64 encoded string and obtained results related to phishing attacks on Microsoft 365. They noted that requests for phishing applications were directed to the domain with the interesting name “eevilcorp[.]online” (“corporation of evil”).

According to researchers, cybercriminals use the platform Glitch.me to host phishing HTML pages. This is a legitimate platform that allows you to create and host various web applications, sites and online projects on the Internet. Unfortunately, in the campaign reviewed, this platform was used to host domains involved in an ongoing phishing scam.

The attack begins with the victim receiving an email with a malicious HTML file as an attachment. After running the file in a web browser, a phishing page is launched that masquerades as a Microsoft 365 authorization page. Here, the victim is asked to enter their credentials, which are then sent to the attackers.

Due to the widespread adoption of Microsoft 365 in the business community, there is a strong possibility that a compromised account belongs to a corporate user. As a result, if an attacker gains access to these credentials, they can potentially gain access to sensitive business information.

Vade researchers also discovered a similar phishing campaign that involves using a fake Adobe Document Cloud login page. Her analysis showed the use of the same domain “eevilcorp[.]online” which returns an authentication page associated with malware called Hawkeye.

It is important to emphasize that cybersecurity experts, including Cisco Talospreviously conducted a study of the original HawkEye keylogger and classified it as a set of malware that appeared back in 2013, with subsequent updates to new versions.

Vade specialists provided a detailed set of recommendations for protection against such attacks:

• Check the sender of the email. Be wary of emails purporting to be from Microsoft, Adobe, or other well-known companies that are sent from suspicious or unknown email addresses. Always check the sender’s email address carefully before taking any action to make sure the email is from a real company.
• Pay attention to general greetings. Phishing emails often use generic “Dear User” greetings instead of calling you by your first name. Legitimate letters from the same Microsoft usually address you by your real name or the specified login.
• Analyze the content and formatting of the email. Pay attention to spelling and grammar errors, as well as bad formatting. Phishing emails often contain errors that would not be in legitimate messages from large companies.
• Hover over links. Before clicking on any links in the email, hover over them to see the actual URL. If the link’s destination looks suspicious or different from the company’s official domains, don’t click on it.
• Be careful with urgent requests. Phishing emails often create a sense of urgency by pressuring you to take immediate action. Beware of emails that claim that your account is at risk or that your personal information needs to be verified urgently.

Remember, if you suspect an email is a phishing scam, it’s best to play it safe and just ignore it. If you really have questions about the security of your account, it is better to contact the company’s support directly and do not click on any links in the letters. Never provide personal or confidential information unless you can verify the legitimacy of the request through official channels.