Back

Cybercriminals Use Azure Front Door in Phishing Attacks

Cybercrime Intelligence

Azure Front Door, microsoft, phishing, credential theft, cloud security

Cybercriminals Use Azure Front Door in Phishing Attacks

Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonates various services appearing to be legitimately created on the “azurefd.net” domain – This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts. Notably, most phishing resources were designed to target SendGrid, Docusign and Amazon customers, along with several other major Japanese and Middle East online-service providers and corporations. According to experts, such tactics confirm how the bad actors are continuously looking to enhance their tactics and procedures to avoid phishing detection using world-known cloud services.


phishing page delivered azure front door afd
Example of Phishing Page Delivered by Azure Front Door (AFD)



The threat actors are leveraging compromised business and personal e-mail accounts to deliver spam containing phishing links to fake WEB-resources hosted on Azure Front Door, as such domains are typically whitelisted or treated as legitimate by the end user. One of the typical phishing page scenarios observed in a recent campaign – a fake billing notification sent on behalf of SendGrid, a Colorado-based customer communication platform for transactional and marketing email.


cyber criminals leverage compromised email accounts japan
Cybercriminals leverage compromised e-mail accounts of Japanese companies and online-services to deliver phishing



The original phishing e-mails have been retained and observed by Security Affairs. Based on the analyzed templates, the attackers are likely using an automated way to generate their phishing letters, by doing so they’re able to scale their campaigns to ultimately target a broader number of customers globally, which has previously been observed in spam strains delivered with Emotet and Oakbot.

It’s worth noting, the observed de-obfuscated source codes of the phishing scenarios contained the signatures “STRAT Check” and references to WHOIS-protected domains registered in “.click” and “.xyz” domain zones to collect compromised credentials.




Cybersecurity researchers from Resecurity identified multiple domains used in the new wave of phishing attacks dating back to the beginning of June - some of which are obviously hard to differentiate from legitimate correspondence due to their naming and reference to Azure Front Door, what only adds more complexity for defenders:

  • gridapisignout[.]azurefd[.]net
  • amazon-uk[.]azurefd[.]net
  • webmailsign[.]azurefd[.]net
  • onlinesigninlogin[.]azurefd[.]net
  • owasapisloh[.]azurefd[.]net
  • docuslgn-micros0ft983-0873878383[.]azurefd.net

Based on the analysis performed on services such as URLSCAN, some instances of this campaign began around the month of March 2022 and were focused primarily on Japan and hosted on Kagoya VPS resources.

The scenarios acting as C2 scripts for intercepted credentials collection were also hosted on various hacked WEB-resources, leveraging domains having similar spelling to names of existing corporations. Such domains were used to impersonate several large enterprises in the Middle East and other countries what may confirm the campaign could have been targeted and had certain motives besides financial.


example design phishing template compromise email
Example of a phishing template designed to compromise e-mail accounts using Adobe branding



In one of the phishing episodes, the threat actors impersonated the large business conglomerate Al-Futtaim Group from UAE which was founded in 1930 with over 44,000 employees. The host was created in March 2022 and was used to collect intercepted credentials leveraging spelling with just 1 letter different from the legitimate and official name of Al-Futtaim Group domain name (“alfuttairn[.]com” VS “alfuttaim[.]com”).


compromised credentials http post request transmit
Example of HTTP Post Request to Transmit Compromised Credentials in the Result of Successful Phishing Attack



phishing template fake authorization target office 365
Phishing template with fake authorization targeting Office 365 customers



phishing template targeting amazon customers
Phishing template targeting Amazon customers



scenario intercept credit card data cvv number
Scenario to intercept credit card data with CVV Number ("Card Verification Value")



The identified malicious domain names and additional intelligence have been reported by Resecurity to Microsoft Security Response Center (MSRC) to minimize possible risk and damages from this activity.

Similar campaigns have been identified by the MalwareHunterTeam (MHT) in November 2021, when Azure Front Door Service (AFD) was used to host phishing content targeting academia and the UK Government employees.

According to experts such tactics could be leveraged by both sophisticated threat actors and APT groups, as well as cybercriminals to avoid being detected conducting phishing, business e-mail compromise (BEC), and Email Account Compromise (EAC) campaigns.

In 2021, the FBI's Internet Crime Complaint Center (IC3) received reports of BEC scams in all 50 states and 177 countries. In a March 2022 report, the IC3 said it received close to 20,000 BEC complaints last year, with an estimated adjusted losses of roughly $2.4 billion.

The total BEC/EAC statistics reported to the FBI IC3, law enforcement and derived from filings with financial institutions between June 2016 and December 2021 exceeds 43$ billion.

Newsletter

Keep up to date with the latest cybersecurity news and developments.

By subscribing, I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy

Cloud Architecture
Cloud Architecture
445 S. Figueroa Street
Los Angeles, CA 90071
Google Maps
Contact us by filling out the form.
Try Resecurity products today with a free trial