Solutions
Solutions
All in one solution
Overview
Managed XDR
Keep my IT safe 24/7
24/7 Incident Response
Restore business operations
Security Awareness
Improve security culture
Cyber Insurance
Ensure business continuity
Integrations
Technology partners
Industry
All sectors
Logistics
Manufacturing
Professional services
Healthcare
Partners
Partner Network
For Brokers & Risk Advisors
Lower your clients' cyber risk.
For Managed Service Providers (MSP)
Expand your offer with cybersecurity.
Case studies
Customer protection
Jan de Rijk
Logistics
Avi Medical
Healthcare
KeyTec Netherlands
Manufacturing
Van der Most Transport
Logistics
Signature Foods
Manufacturing
KlaassenGroep
Construction
GOED Belgium
Healthcare
Zimmer Group
Manufacturing
Plans
Resources
Resources
Blogs
News from the front lines
Resource library
Guides and brochures
Free Anti-spoofing Tool
Sign up to get started
Knowledge Base
Customer login
NIS2 Resource Hub
Your easy guide to NIS2
Glossary of Terms
A glossary of cybersecurity terms
Company
About
News
Careers
Contact
Press
en
Talk to us
Take a tour
Solutions
Back
Solutions
All in one solution
Managed XDR
24/7 Incident Response
Security Awareness
Cyber Insurance
Integrations
Industry
All sectors
Logistics
Manufacturing
Professional services
Healthcare
Partners
Back
Partner Network
For Brokers & Risk Advisors
For Managed Service Providers (MSP)
Case studies
Back
Customer protection
Jan de Rijk
Avi Medical
KeyTec Netherlands
Van der Most Transport
Signature Foods
KlaassenGroep
GOED Belgium
Zimmer Group
Plans
Resources
Back
Resources
Blogs
Resource library
Free Anti-spoofing Tool
Knowledge Base
NIS2 Resource Hub
Glossary of Terms
Company
About
News
Careers
Contact
Press
en
Book a demo
Incident Hotline
Return to overview
3 min read

Large scale phishing campaign quickly utilises Legacy Authentication before Microsoft disables it

3 min read
September 29, 2022
By: Eye Security
By: Eye Security
7 March 2024

Security Specialists from Eye Security have observed a rather large phishing campaign using a few interesting tactics that we would like to share with you today. The campaign took place on the 25th and 26th of September 2022.

A list of IOC’s is shared on the bottom of this page.

Open Redirection: feature or bad-practise?

The emails sent out by the Threat Actor (TA) contained a basic looking phish. The emails we have observed during the campaign within our customer base contained emails about shared teams folders ‘Folder “Teams Documents” Shared by *company name*’. The email body was completely base64 encoded and contained a link behind a button.

Interestingly the TA used a chain of services that offer some form of redirection. In this case, the TA’s used two marketing services that do not check if the domain within the redirection URL is actually part of the marketing campaign.

First in the chain was a marketing campaign for one of their users. The first platform in the chain would redirect the browser to Doubleclick.net (Google Marketing Platform). Doubleclick would then forward the browser to the final URL which is hosted on yandexcloud.net.

Let’s do some digging!

All the (final) phishing domains were hosted on yandexcloud.net, but using slightly different subdomains. Each subdomain consisted of the following parts: Prefix + 45 random chars (letter/number) + .website.yandexcloud.net

Where the prefix would be any of the following cases:

  • “auth-login-”
  • "auth-sign"
  • “login-auth”
  • “login-”
  • “sign-”
  • "signin-"

Looking further into the different subdomains, we noticed that after each submitted username/password a call would be made towards checkips.net (weirdly, also sending the username and password towards the checkips server). This returned the clients IP and source country. Afterwards a call was made to one of 3 different logging servers sending off the username/password and information gathered from the checkips.net call (check IOC list below for the domains).

Russia?

After being phished, the attackers would try to login to the victims account using a VPS in Russia. We have only observed the logins coming from one single IPV6 address. The attackers authenticate using legacy authentication, which would force the session to take place using only username and password even if MFA was enabled on the account.

We suspect the TA is trying to “grab whatever they can, while they can” before Microsoft disables Basic Authentication by default on the 1st of October 2022.

BEC Hunting

Eye Security suggests querying EDR / NDR telemetry or Firewall logs to check if hosts resolved the domains in the IOC list. We strongly suggest querying Azure Active Directory Sign-In logs to check if any connection (attempts) were made by the malicious IPV6 address.

IOC’s:

Malicious IPV6 address

2a00:1838:2a:1505:c267:afff:fe70:f4de

Server used to submit username/password to

burilink[.]xyz

Server used to submit username/password to

zahedlink[.]xyz

Server used to submit username/password to

zipardlink[.]xyz

 

Observed phishing page’s:

Domain

auth-login-0t1nnwrd3znvr4g598gygyey1em0jzsm782d38867qx.website.yandexcloud[.]net

Domain

auth-login-1shun1uph7exdiqi5jxipzfloj2dv0m0cel5aq03mmhqn.website.yandexcloud[.]net

Domain

auth-login-3ll3ktz0dc6pgqpiknz9wil9bhfc2b07yj7aju5ag7shi.website.yandexcloud[.]net

Domain

auth-login-79o87gxwbej5pu1m8lg6hf8jeuednx9jcl4nr4aufqujh.website.yandexcloud[.]net

Domain

auth-login-9egij6e1ojge075onlcdm01hhxpy72d589w1afdwyb789.website.yandexcloud[.]net

Domain

auth-login-dixd8l4w4umrzadx5ruhx8tgix0gml37lmtpxub09gbo7.website.yandexcloud[.]net

Domain

auth-login-g0897rtqd540nsmvlptoayrywzc2j4kn1iusbi7z.website.yandexcloud[.]net

Domain

auth-login-hczd80h2ld3lkdndf6619l0rny21oqr6m6unt8scpiv5y.website.yandexcloud[.]net

Domain

auth-login-htwwqb1zukg6gxqyyp88gq1lavdc8mno1zptenc7u8qz3.website.yandexcloud[.]net

Domain

auth-login-krml5bdji2f5gicz5rfgmetpasz492uwblasi2npcjk5r.website.yandexcloud[.]net

Domain

auth-login-q5v7bitmwxbzj3yjcgi2v1gvsakvuqrvvjjlvr798czzc.website.yandexcloud[.]net

Domain

auth-login-ty7cde5sdla6or6gj5w2mrmnr4073ff2zodtgyr1h1qum.website.yandexcloud[.]net

Domain

auth-login-v2iajd89d9deam6jm3n3ukdtyas3yp9hr6jyphmv.website.yandexcloud[.]net

Domain

auth-login-v2iajd89d9deamk5m3n3ukdjdas3yp9hr6jyphmv.website.yandexcloud[.]net

Domain

auth-login-v2og2iajd89d9deam6jm3n3ukdtyas3yp9hr6jyphmv.website.yandexcloud[.]net

Domain

auth-sign-01hj4s1r0qa4joet2ubr560nhq292n5yynhqdvfq1w158.website.yandexcloud[.]net

Domain

auth-sign-0qiv8a03gxwftx8d4944i0basoj0kan1c46n0yaqwctcp.website.yandexcloud[.]net

Domain

auth-sign-5zk6sgqoxz32dfsig8a3n5azcg7g7tyjsnewv2dv.website.yandexcloud[.]net

Domain

auth-sign-aiqoo4z1qacqodq3vv1t79dr9pasn795yzep6k2dk5kke.website.yandexcloud[.]net

Domain

auth-sign-bnwd5mcjpbaidqjz52ufim5xzcgxl0bzbgyy4dfrfewoc.website.yandexcloud[.]net

Domain

auth-sign-byhf38ambxxqi89rz20slcjbrti87fbu0fj6ijvlty845.website.yandexcloud[.]net

Domain

auth-sign-juc3c3kip0zmejagsh6ty5nwgjdi8ilucmqx76s1.website.yandexcloud[.]net

Domain

auth-sign-k23ey2nb5fdcoqf9stj1o0de2lqb38rl0iwpg52adgkrq.website.yandexcloud[.]net

Domain

auth-sign-k53hu5h42kmsj6zvavy1cnkcve2b5972erulwx04s76b1.website.yandexcloud[.]net

Domain

auth-sign-mfxx6syxr6p1zvdrmdl87zhfsmb0unhn67oxcw385eei3.website.yandexcloud[.]net

Domain

auth-sign-mvj2xf5bruvnthpdzkf9le1e9uri9fv325zzrkupn7i6n.website.yandexcloud[.]net

Domain

auth-sign-o77rhuayltoa32ou295ngkvnv3etchmvahhl3d89m3cwp.website.yandexcloud[.]net

Domain

auth-sign-pjrnbyecabna1wqfbquzudje2e39y1l443dz3d22.website.yandexcloud[.]net

Domain

auth-sign-plflhaz1dnprntnpb4p9wnnpmwm1spvoywjv8bjetmrph.website.yandexcloud[.]net

Domain

auth-sign-tyepcsrej0jpqofdhcszj11c5nh2knb2xn4krme61luss.website.yandexcloud[.]net

Domain

auth-sign-w2shd0wwd6k9h1bnrc7wgytvbvkmbtcolbymul8ezw3uu.website.yandexcloud[.]net

Domain

auth-sign-w2wuol7vxn2yr9v99ch6v8wzbsd3yp9hr6jyphmv.website.yandexcloud[.]net

Domain

auth-sign-xn9do3v4g4724mzbkesgvg0lw6gtlckd2luw7uhx.website.yandexcloud[.]net

Domain

login-38t888ibaqec9fogtpunr8gv8vrfhy8ovpzhbbjv.website.yandexcloud[.]net

Domain

login-7ux5lxpq4otbe2lhsg54tqqjfo2yzguplail7jyl.website.yandexcloud[.]net

Domain

login-auth5ecyg0xizndz4cdguk827pmadx3n255qmf051ful1ayzc.website.yandexcloud[.]net

Domain

login-auth612hqd6myquoejl190tna3vn3zshgueqe7wzqyjgk7dk8.website.yandexcloud[.]net

Domain

login-auth86ku4h0cizaixm9mwyy6m0b4xz5rq1salcny0i49s0i01.website.yandexcloud[.]net

Domain

login-authcp7f33tlno0jd95rh0l1bgd8ynkia413fflkes3gkap2o.website.yandexcloud[.]net

Domain

login-authkpvcoyl5wm0q7dx2ab9fz4qp6gj7d0ajp0ia5hxh.website.yandexcloud[.]net

Domain

login-authn30h959ip91mh3udrkx0qkl95faaabrh7v6s329lp2wf1.website.yandexcloud[.]net

Domain

login-autht4xo79pv6z4x612xh3h9s24y1yet1twebuw4xwtehixdi.website.yandexcloud[.]net

Domain

login-authy7tpd6mea4cjfq2zq4q11svmq3m6wkllbwzdvmo4tai.website.yandexcloud[.]net

Domain

login-authyz7npkufuztg6ar76u5lakos61vy60pcy2pnttjy76l3e.website.yandexcloud[.]net

Domain

login-authztdbz93edcg7teqtrmvx2gw9eu1klbadvm7uiryo.website.yandexcloud[.]net

Domain

login-b8sx7fjkw2sby32it82zuj6d6tjz0bepshxo2c6e2ohl6.website.yandexcloud[.]net

Domain

login-be4o83hc9vxvaslsvdxyuw02sp30tud4zkrlqhtlrx64n.website.yandexcloud[.]net

Domain

login-dnxy22v94mfvcrckhygbt1j0xjhvm1xmcei0adsaw0d67.website.yandexcloud[.]net

Domain

login-fdh24x798s98vwo0msnkqvm6kbag41ztjd15gb6n.website.yandexcloud[.]net

Domain

login-o7ibhb1ia4rjxg4idm0od4mhcqmjgn5e40p9870j.website.yandexcloud[.]net

Domain

login-pydv8xuzahh8rvog07lu0ztjwdg2vlz03eqg7fydmh5pn.website.yandexcloud[.]net

Domain

login-q4e1too8kcdnvk46i7mp0kx3dgdwcsrvd0bocpzd.website.yandexcloud[.]net

Domain

login-tv6j39ruh5q97xo1f3u3ul67jln1yxuk5ruxnxn5njuxz.website.yandexcloud[.]net

Domain

login-u4vbxnfnqpfwav2l9t01osrwp3oslph42xvlcr721rk.website.yandexcloud[.]net

Domain

login-xn7jzi6jyw9eeo8yho1f6x1k9c689qzzdjcfwiocyghy9.website.yandexcloud[.]net

Domain

login-zghivnbzn00fnpg5wo7oyutjtspl857snonwo843.website.yandexcloud[.]net

Domain

login-authn30h959ip91mh3udrkx0qkl95faaabrh7v6s329lp2wf1.website.yandexcloud[.]net

Domain

sigin-2rfd55xyy31lhixsbnvxo79pr538pzmxyoh4imo2txm4x2bsi8.website.yandexcloud[.]net

Domain

sign-1uwcwngkv6addzgek46wx7attvjaromcpeeuhynjt6gne.website.yandexcloud[.]net

Domain

sign-3r8nfpjkpggpkvtqt4sv5pbc4esmb0uk0r87hnjmgzpxw.website.yandexcloud[.]net

Domain

sign-3s4kpuhvpbtljys3zc9c16hu76heb8ckht906nu35pdob.website.yandexcloud[.]net

Domain

sign-4uy5juyk7im1ugmf83tcku3hv1i8m657lx80ete7ydi4x.website.yandexcloud[.]net

Domain

sign-6rpebn7cp3utj8o1x2gy4is0v2xsuxcgbicsya9uiq9e3.website.yandexcloud[.]net

Domain

sign-88uil4pl0fpucfx7pph9k69d4zt7op37s8mp6o2pufewq.website.yandexcloud[.]net

Domain

sign-9k5lxzeas65i9wl40pcnygswla0chj5kyuvzbs1j.website.yandexcloud[.]net

Domain

sign-ajo1zyl2rgiwtakzwrq2kd6uvp58qoeix6n97a85.website.yandexcloud[.]net

Domain

sign-fwntrlrmf9v2kmu06nk56344m1y6bt1ty2m2vd4yt5jvj.website.yandexcloud[.]net

Domain

sign-ltcnxoz0cpljf6oej7a5jxai9wqiycc9z6zzi8ga9e7s9.website.yandexcloud[.]net

Domain

sign-opl30frwbffz79ny9noiyy7gwb17vgds44pn8n1s.website.yandexcloud[.]net

Domain

sign-qcpwv20zlwxdulkqv7f5hjwbmctwq35763za7b47opubv.website.yandexcloud[.]net

Domain

sign-ubl0azl7oxbvf02cqjla8wqff2o1acc0weqveoy7nj3qw.website.yandexcloud[.]net

Domain

sign-vjrctc1utf9cc2ippib7jrfb0ibgvkyvs58g1owhcksco.website.yandexcloud[.]net

Domain

sign-xuedk7ci6iyyllhilbui97h6ajufq8xr5eh9jt3o0qm.website.yandexcloud[.]net

Domain

sign-zclwo5qvsr9quu5c5lxvn9x9hg20zqws1u7itosvwuvyo.website.yandexcloud[.]net

 

Let's talk

Curious to know how we can help?
Get in touch
GET IN TOUCH
Share this article.

Related articles.