Phishing Attack Uses Azure storage to Impersonate Microsoft
Even though phishing attacks can be quite convincing, a give away is when diligent users notice that the login form is unsecured, the URL is not right or the SSL certificate is clearly not owned by the company being impersonated. A new Office 365 phishing attack utilizes an interesting method of storing their phishing form hosted on Azure Blob Storage in order to be secured by a Microsoft SSL certificate.
Azure Blob storage is a Microsoft storage solution that can be used to store unstructured data such as images, video, or text. By storing a phishing form in Azure Blob storage, the displayed form will be signed by a SSL certificate from Microsoft. This makes it an ideal method to create phishing forms that target Microsoft services such as Office 365, Azure AD, or other Microsoft logins.
In these attacks, bad actors are sending out spam emails with PDF attachments. These attachments are named "Scanned Document... Please Review.pdf" and simply contain a button to download a supposed PDF of a scanned document. When users click on this link they will be brought to a HTML page pretending to be a Office 365 login form that is stored on the Microsoft Azure Blob storage solution. Notice how the URL, https://onedriveunbound80343.blob.core.windows.net indicates it is a blob. As this page is also being hosted on a Microsoft service, it gets the benefit of being a secured SSL site as well.
While more experienced users may not fall for this attack due to the strange URL, others may be more convinced because the page utilizes a certificate from Microsoft and thus must be safe. To better protect users from these types of evolving threats,Netskope recommends that companies properly educate their users to recognize non-standard web page addresses. "Enterprises should educate their users to recognize AWS, Azure, and GCP object store URLs, so they can discern phishing sites from official sites. "