Phishing uses Azure Static Web Pages to impersonate Microsoft

Microsoft

Phishing attacks exploit Microsoft Azure’s Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials.

Azure Static Web Apps is a Microsoft service that helps build and deploy full-stack web apps to Azure from GitHub or Azure DevOps code repositories.

It allows developers to use custom domains for branding web apps, and it provides web hosting for static content such as HTML, CSS, JavaScript, and images.

As a security researcher MalwareHunterTeam discoveredThreat actors have also noticed that the custom branding and web hosting features can be easily used to host static landing phishing pages.

Attackers are now actively using Microsoft’s service against its customers, actively targeting users with Microsoft, Office 365, Outlook, and OneDrive accounts.

As shown below, some of the landing pages and login forms used in these phishing campaigns look almost exactly like official Microsoft pages.

Azure Static Web Apps Phishing PagesAzure Static Web Apps Phishing Pages (BleepingComputer)

Azure Static Web Apps adds legitimacy

Using the Azure Static Web Apps platform to target Microsoft users is an excellent tactic. Each landing page automatically gets its own secure page padlock in the address bar because of the *.1.azurestaticapps.net wildcard TLS certificate.

This is likely to mislead even the most suspicious targets after seeing the certificate issued by Microsoft Azure TLS that CA 05 issues to *.1.azurestaticapps.net, validating the phishing page as an official Microsoft sign-in form in the eyes of potential victims.

This also makes such landing pages a useful tool in targeting users from other platforms, including Rackspace, AOL, Yahoo, and other email providers, due to the false veil of security added by the legitimate Microsoft TLS certificates.

1.azurestaticapps.net wildcard Microsoft TLS certificate1.azurestaticapps.net wildcard Microsoft TLS certificate

When trying to detect when a phishing attack is targeting you, the standard advice is to check the URL closely when prompted to enter your account information in a login form.

Unfortunately, the phishing campaigns exploiting Azure Static Web Apps make this advice almost worthless, as many users will be tricked by the azurestaticapps.net subdomain and valid TLS certificate.

This isn’t the first time a Microsoft service has been exploited in phishing attacks to target the company’s own customers.

Phishing campaigns also use the *.blob.core.windows.net wildcard certificate provided by Microsoft’s Azure Blob Storage to target Office 365 and Outlook users.

BleepingComputer reached out to Microsoft for comment and we’ll update the story if we hear anything.



This post Phishing uses Azure Static Web Pages to impersonate Microsoft

was original published at “https://www.bleepingcomputer.com/news/microsoft/phishing-uses-azure-static-web-pages-to-impersonate-microsoft/”