New PhishKit Targeting Office 365 Users

· Read in about 2 min · (343 Words)

New PhishKit Targeting Office365 | Quttera blog

Introduction

During recent phishing incident handled by ThreatSign incident response team, a phishing link lead to a discovery of the Phishing Kit. The prompt actions allowed to mitigate the threat and avoid its distribution in the wild.

Let's skip the attack background and head to the Phish Kit details:

Office 365 PhishKit

MD5: b46a0a1035e49e2e9e0218ebbd97fffe

The file is a zipped file that contains the whole directory of the phishing kit. Upon loading the files on a web server it shows a familiar Office 365 login page:

New PhishKit Targeting Office365 | Quttera blog

Upon entering fictional credentials, the fake Office login page made the following requests:

New PhishKit Targeting Office365 | Quttera blog

We checked the file that is executed to ensure we are not missing anything:

New PhishKit Targeting Office365 | Quttera blog

What it would do is it would take your credentials and send them to an email address and then you would get redirected to a genuine Microsoft site.

It also has a list of banned IP’s from accessing an installed phish kit:

New PhishKit Targeting Office365 | Quttera blog

The phish Kit also has some IP’s being blocked on access to the phishing link as well for evasion:

New PhishKit Targeting Office365 | Quttera blog

After the hacker is done with its bidding, a simple call to the file will remove all of the files being used for the phishing attack:

New PhishKit Targeting Office365 | Quttera blog

Summary

We would like to remind everyone to be skeptical when entering your credentials. Always check the link integrity and if you think there is something suspicious, the chances are you're right.

We are always quick to respond in such cases like these to protect our customers and everyone else. If you need help in checking or cleaning a phishing infection in your site kindly check our page here ThreatSign plans and our experts will be happy to do the job for you.

Is your website flagged for malware, blocked by the search engines or disabled by the host?

Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk

© 2017 Quttera Ltd. All rights reserved.