Security Specialists from Eye Security have observed a rather large phishing campaign using a few interesting tactics that we would like to share with you today. The campaign took place on the 25th and 26th of September 2022.
A list of IOC’s is shared on the bottom of this page.
Open Redirection: feature or bad-practise?
The emails sent out by the Threat Actor (TA) contained a basic looking phish. The emails we have observed during the campaign within our customer base contained emails about shared teams folders ‘Folder “Teams Documents” Shared by *company name*’. The email body was completely base64 encoded and contained a link behind a button.
Interestingly the TA used a chain of services that offer some form of redirection. In this case, the TA’s used two marketing services that do not check if the domain within the redirection URL is actually part of the marketing campaign.
First in the chain was a marketing campaign for one of their users. The first platform in the chain would redirect the browser to Doubleclick.net (Google Marketing Platform). Doubleclick would then forward the browser to the final URL which is hosted on yandexcloud.net.
Let’s do some digging!
All the (final) phishing domains were hosted on yandexcloud.net, but using slightly different subdomains. Each subdomain consisted of the following parts: Prefix + 45 random chars (letter/number) + .website.yandexcloud.net
Where the prefix would be any of the following cases:
- “auth-login-”
- "auth-sign"
- “login-auth”
- “login-”
- “sign-”
- "signin-"
Looking further into the different subdomains, we noticed that after each submitted username/password a call would be made towards checkips.net (weirdly, also sending the username and password towards the checkips server). This returned the clients IP and source country. Afterwards a call was made to one of 3 different logging servers sending off the username/password and information gathered from the checkips.net call (check IOC list below for the domains).
Russia?
After being phished, the attackers would try to login to the victims account using a VPS in Russia. We have only observed the logins coming from one single IPV6 address. The attackers authenticate using legacy authentication, which would force the session to take place using only username and password even if MFA was enabled on the account.
We suspect the TA is trying to “grab whatever they can, while they can” before Microsoft disables Basic Authentication by default on the 1st of October 2022.
BEC Hunting
Eye Security suggests querying EDR / NDR telemetry or Firewall logs to check if hosts resolved the domains in the IOC list. We strongly suggest querying Azure Active Directory Sign-In logs to check if any connection (attempts) were made by the malicious IPV6 address.
IOC’s:
|
Malicious IPV6 address |
2a00:1838:2a:1505:c267:afff:fe70:f4de |
|
Server used to submit username/password to |
burilink[.]xyz |
|
Server used to submit username/password to |
zahedlink[.]xyz |
|
Server used to submit username/password to |
zipardlink[.]xyz |
Observed phishing page’s:
|
Domain |
auth-login-0t1nnwrd3znvr4g598gygyey1em0jzsm782d38867qx.website.yandexcloud[.]net |
|
Domain |
auth-login-1shun1uph7exdiqi5jxipzfloj2dv0m0cel5aq03mmhqn.website.yandexcloud[.]net |
|
Domain |
auth-login-3ll3ktz0dc6pgqpiknz9wil9bhfc2b07yj7aju5ag7shi.website.yandexcloud[.]net |
|
Domain |
auth-login-79o87gxwbej5pu1m8lg6hf8jeuednx9jcl4nr4aufqujh.website.yandexcloud[.]net |
|
Domain |
auth-login-9egij6e1ojge075onlcdm01hhxpy72d589w1afdwyb789.website.yandexcloud[.]net |
|
Domain |
auth-login-dixd8l4w4umrzadx5ruhx8tgix0gml37lmtpxub09gbo7.website.yandexcloud[.]net |
|
Domain |
auth-login-g0897rtqd540nsmvlptoayrywzc2j4kn1iusbi7z.website.yandexcloud[.]net |
|
Domain |
auth-login-hczd80h2ld3lkdndf6619l0rny21oqr6m6unt8scpiv5y.website.yandexcloud[.]net |
|
Domain |
auth-login-htwwqb1zukg6gxqyyp88gq1lavdc8mno1zptenc7u8qz3.website.yandexcloud[.]net |
|
Domain |
auth-login-krml5bdji2f5gicz5rfgmetpasz492uwblasi2npcjk5r.website.yandexcloud[.]net |
|
Domain |
auth-login-q5v7bitmwxbzj3yjcgi2v1gvsakvuqrvvjjlvr798czzc.website.yandexcloud[.]net |
|
Domain |
auth-login-ty7cde5sdla6or6gj5w2mrmnr4073ff2zodtgyr1h1qum.website.yandexcloud[.]net |
|
Domain |
auth-login-v2iajd89d9deam6jm3n3ukdtyas3yp9hr6jyphmv.website.yandexcloud[.]net |
|
Domain |
auth-login-v2iajd89d9deamk5m3n3ukdjdas3yp9hr6jyphmv.website.yandexcloud[.]net |
|
Domain |
auth-login-v2og2iajd89d9deam6jm3n3ukdtyas3yp9hr6jyphmv.website.yandexcloud[.]net |
|
Domain |
auth-sign-01hj4s1r0qa4joet2ubr560nhq292n5yynhqdvfq1w158.website.yandexcloud[.]net |
|
Domain |
auth-sign-0qiv8a03gxwftx8d4944i0basoj0kan1c46n0yaqwctcp.website.yandexcloud[.]net |
|
Domain |
auth-sign-5zk6sgqoxz32dfsig8a3n5azcg7g7tyjsnewv2dv.website.yandexcloud[.]net |
|
Domain |
auth-sign-aiqoo4z1qacqodq3vv1t79dr9pasn795yzep6k2dk5kke.website.yandexcloud[.]net |
|
Domain |
auth-sign-bnwd5mcjpbaidqjz52ufim5xzcgxl0bzbgyy4dfrfewoc.website.yandexcloud[.]net |
|
Domain |
auth-sign-byhf38ambxxqi89rz20slcjbrti87fbu0fj6ijvlty845.website.yandexcloud[.]net |
|
Domain |
auth-sign-juc3c3kip0zmejagsh6ty5nwgjdi8ilucmqx76s1.website.yandexcloud[.]net |
|
Domain |
auth-sign-k23ey2nb5fdcoqf9stj1o0de2lqb38rl0iwpg52adgkrq.website.yandexcloud[.]net |
|
Domain |
auth-sign-k53hu5h42kmsj6zvavy1cnkcve2b5972erulwx04s76b1.website.yandexcloud[.]net |
|
Domain |
auth-sign-mfxx6syxr6p1zvdrmdl87zhfsmb0unhn67oxcw385eei3.website.yandexcloud[.]net |
|
Domain |
auth-sign-mvj2xf5bruvnthpdzkf9le1e9uri9fv325zzrkupn7i6n.website.yandexcloud[.]net |
|
Domain |
auth-sign-o77rhuayltoa32ou295ngkvnv3etchmvahhl3d89m3cwp.website.yandexcloud[.]net |
|
Domain |
auth-sign-pjrnbyecabna1wqfbquzudje2e39y1l443dz3d22.website.yandexcloud[.]net |
|
Domain |
auth-sign-plflhaz1dnprntnpb4p9wnnpmwm1spvoywjv8bjetmrph.website.yandexcloud[.]net |
|
Domain |
auth-sign-tyepcsrej0jpqofdhcszj11c5nh2knb2xn4krme61luss.website.yandexcloud[.]net |
|
Domain |
auth-sign-w2shd0wwd6k9h1bnrc7wgytvbvkmbtcolbymul8ezw3uu.website.yandexcloud[.]net |
|
Domain |
auth-sign-w2wuol7vxn2yr9v99ch6v8wzbsd3yp9hr6jyphmv.website.yandexcloud[.]net |
|
Domain |
auth-sign-xn9do3v4g4724mzbkesgvg0lw6gtlckd2luw7uhx.website.yandexcloud[.]net |
|
Domain |
login-38t888ibaqec9fogtpunr8gv8vrfhy8ovpzhbbjv.website.yandexcloud[.]net |
|
Domain |
login-7ux5lxpq4otbe2lhsg54tqqjfo2yzguplail7jyl.website.yandexcloud[.]net |
|
Domain |
login-auth5ecyg0xizndz4cdguk827pmadx3n255qmf051ful1ayzc.website.yandexcloud[.]net |
|
Domain |
login-auth612hqd6myquoejl190tna3vn3zshgueqe7wzqyjgk7dk8.website.yandexcloud[.]net |
|
Domain |
login-auth86ku4h0cizaixm9mwyy6m0b4xz5rq1salcny0i49s0i01.website.yandexcloud[.]net |
|
Domain |
login-authcp7f33tlno0jd95rh0l1bgd8ynkia413fflkes3gkap2o.website.yandexcloud[.]net |
|
Domain |
login-authkpvcoyl5wm0q7dx2ab9fz4qp6gj7d0ajp0ia5hxh.website.yandexcloud[.]net |
|
Domain |
login-authn30h959ip91mh3udrkx0qkl95faaabrh7v6s329lp2wf1.website.yandexcloud[.]net |
|
Domain |
login-autht4xo79pv6z4x612xh3h9s24y1yet1twebuw4xwtehixdi.website.yandexcloud[.]net |
|
Domain |
login-authy7tpd6mea4cjfq2zq4q11svmq3m6wkllbwzdvmo4tai.website.yandexcloud[.]net |
|
Domain |
login-authyz7npkufuztg6ar76u5lakos61vy60pcy2pnttjy76l3e.website.yandexcloud[.]net |
|
Domain |
login-authztdbz93edcg7teqtrmvx2gw9eu1klbadvm7uiryo.website.yandexcloud[.]net |
|
Domain |
login-b8sx7fjkw2sby32it82zuj6d6tjz0bepshxo2c6e2ohl6.website.yandexcloud[.]net |
|
Domain |
login-be4o83hc9vxvaslsvdxyuw02sp30tud4zkrlqhtlrx64n.website.yandexcloud[.]net |
|
Domain |
login-dnxy22v94mfvcrckhygbt1j0xjhvm1xmcei0adsaw0d67.website.yandexcloud[.]net |
|
Domain |
login-fdh24x798s98vwo0msnkqvm6kbag41ztjd15gb6n.website.yandexcloud[.]net |
|
Domain |
login-o7ibhb1ia4rjxg4idm0od4mhcqmjgn5e40p9870j.website.yandexcloud[.]net |
|
Domain |
login-pydv8xuzahh8rvog07lu0ztjwdg2vlz03eqg7fydmh5pn.website.yandexcloud[.]net |
|
Domain |
login-q4e1too8kcdnvk46i7mp0kx3dgdwcsrvd0bocpzd.website.yandexcloud[.]net |
|
Domain |
login-tv6j39ruh5q97xo1f3u3ul67jln1yxuk5ruxnxn5njuxz.website.yandexcloud[.]net |
|
Domain |
login-u4vbxnfnqpfwav2l9t01osrwp3oslph42xvlcr721rk.website.yandexcloud[.]net |
|
Domain |
login-xn7jzi6jyw9eeo8yho1f6x1k9c689qzzdjcfwiocyghy9.website.yandexcloud[.]net |
|
Domain |
login-zghivnbzn00fnpg5wo7oyutjtspl857snonwo843.website.yandexcloud[.]net |
|
Domain |
login-authn30h959ip91mh3udrkx0qkl95faaabrh7v6s329lp2wf1.website.yandexcloud[.]net |
|
Domain |
sigin-2rfd55xyy31lhixsbnvxo79pr538pzmxyoh4imo2txm4x2bsi8.website.yandexcloud[.]net |
|
Domain |
sign-1uwcwngkv6addzgek46wx7attvjaromcpeeuhynjt6gne.website.yandexcloud[.]net |
|
Domain |
sign-3r8nfpjkpggpkvtqt4sv5pbc4esmb0uk0r87hnjmgzpxw.website.yandexcloud[.]net |
|
Domain |
sign-3s4kpuhvpbtljys3zc9c16hu76heb8ckht906nu35pdob.website.yandexcloud[.]net |
|
Domain |
sign-4uy5juyk7im1ugmf83tcku3hv1i8m657lx80ete7ydi4x.website.yandexcloud[.]net |
|
Domain |
sign-6rpebn7cp3utj8o1x2gy4is0v2xsuxcgbicsya9uiq9e3.website.yandexcloud[.]net |
|
Domain |
sign-88uil4pl0fpucfx7pph9k69d4zt7op37s8mp6o2pufewq.website.yandexcloud[.]net |
|
Domain |
sign-9k5lxzeas65i9wl40pcnygswla0chj5kyuvzbs1j.website.yandexcloud[.]net |
|
Domain |
sign-ajo1zyl2rgiwtakzwrq2kd6uvp58qoeix6n97a85.website.yandexcloud[.]net |
|
Domain |
sign-fwntrlrmf9v2kmu06nk56344m1y6bt1ty2m2vd4yt5jvj.website.yandexcloud[.]net |
|
Domain |
sign-ltcnxoz0cpljf6oej7a5jxai9wqiycc9z6zzi8ga9e7s9.website.yandexcloud[.]net |
|
Domain |
sign-opl30frwbffz79ny9noiyy7gwb17vgds44pn8n1s.website.yandexcloud[.]net |
|
Domain |
sign-qcpwv20zlwxdulkqv7f5hjwbmctwq35763za7b47opubv.website.yandexcloud[.]net |
|
Domain |
sign-ubl0azl7oxbvf02cqjla8wqff2o1acc0weqveoy7nj3qw.website.yandexcloud[.]net |
|
Domain |
sign-vjrctc1utf9cc2ippib7jrfb0ibgvkyvs58g1owhcksco.website.yandexcloud[.]net |
|
Domain |
sign-xuedk7ci6iyyllhilbui97h6ajufq8xr5eh9jt3o0qm.website.yandexcloud[.]net |
|
Domain |
sign-zclwo5qvsr9quu5c5lxvn9x9hg20zqws1u7itosvwuvyo.website.yandexcloud[.]net |
