Cybercriminals use Azure Front Door in phishing attacks

Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonated various services appearing to be legitimately created on the “azurefd.net” domain. This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts.

Notably, most phishing resources were designed to target SendGrid, Docusign and Amazon customers, along with several other major Japanese and Middle East online-service providers and corporations. According to experts, such tactics confirm how the bad actors are continuously looking to enhance their tactics and procedures to avoid phishing detection using world-known cloud services.

Based on the analyzed phishing templates, the attackers are likely using an automated way to generate their phishing letters, by doing so they’re able to scale their campaigns to ultimately target a broader number of customers globally.

Cybersecurity researchers from Resecurity identified multiple domains used in the new wave of phishing attacks dating back to the beginning of June – some of which are obviously hard to differentiate from legitimate correspondence due to their naming and reference to Azure Front Door, what only adds more complexity for defenders:

gridapisignout[.]azurefd[.]net
amazon-uk[.]azurefd[.]net
webmailsign[.]azurefd[.]net
onlinesigninlogin[.]azurefd[.]net
owasapisloh[.]azurefd[.]net
docuslgn-micros0ft983-0873878383[.]azurefd.net

Some instances of this campaign began around the month of March 2022 and were focused primarily on Japan and hosted on Kagoya VPS resources. The scenarios acting as scripts for intercepted credentials collection were also hosted on various hacked WEB-resources, leveraging domains having similar spelling to names of existing corporations. Such domains were used to impersonate several large enterprises in the Middle East and other countries what may confirm the campaign could have been targeted and had certain motives besides financial.

In one of the phishing episodes, the threat actors impersonated the large business conglomerate Al-Futtaim Group from UAE which was founded in 1930 with over 44,000 employees. The host was created in March 2022 and was used to collect intercepted credentials leveraging spelling with just 1 letter different from the legitimate and official name of Al-Futtaim Group domain name (“alfuttairn[.]com” VS “alfuttaim[.]com”).

The identified malicious domain names and additional intelligence have been reported by Resecurity to Microsoft Security Response Center (MSRC) to minimize possible risk and damages from this activity. All of the identified malicious resources have been successfully and timely terminated.

Similar campaigns have been identified by the MalwareHunterTeam (MHT) in November 2021, when Azure Front Door Service (AFD) was used to host phishing content targeting academia and the UK Government employees.

According to experts such tactics could be leveraged by both sophisticated threat actors and APT groups, as well as cybercriminals to avoid being detected conducting phishing, business e-mail compromise (BEC), and Email Account Compromise (EAC) campaigns.

In a March 2022 report, the IC3 said it received close to 20,000 BEC complaints last year, with an estimated adjusted losses of roughly $2.4 billion. The total BEC/EAC statistics reported to the FBI IC3, law enforcement and derived from filings with financial institutions between June 2016 and December 2021 exceeds 43$ billion.

Don't miss