This blog post will describe the concept of Phishing and how attackers configure deceiving sites to trick users into giving up their credentials. For this blog, the target organization we’ll use is Microsoft Office 365 for email. This scenario was inspired by a recent Incident Response engagement we performed in support of a customer. In this scenario:
1) Attackers exploited multiple small companies
2) Used those victim companies as infrastructure (Redirectors)
3) Those redirectors would redirect users to an Azure App (Fake login page) that would harvest credentials.
This entire attack chain can occur as such:
Note: 2FA isn't a be-all solution (later blog post on this), and password reuse is a thing!
Phishing is a tactic leveraged by attackers to gain trick users into doing something on their behalf. This includes, but is not limited to, harvesting credentials or downloading an implant into the corporate network. This deceiving tactic can be delivered to a user’s email inbox, a text message, a LinkedIn message, a Facebook message, a Twitter message...you guys get the picture!
Enumeration -> Phishing Email -> Phishing Site -> Harvest Credentials
First, we must start by enumerating what an organization’s email structure looks like. For this task, I love to check hunter.io. Hunter.io is a quick way to get an idea of how organizations handle their email naming conventions (Disclaimer: Always verify with other tooling and sources).
We now know that our victim organization uses flastname@company.com. Since this is a standard naming convention, we can not only enumerate email addresses; we can also guess some VIP users based on their LinkedIn profiles. See where I'm going with this?
As we continue our enumeration, it may be probable that organizations are using either G-Suite or O365 for their email providers. We can check to see if a company domain is using O365. We can do this by submitting an HTTP GET request to the following page:
login.microsoftonline.com/getuserrealm.srf?login=name@company.com&xml=1
Another way of enumerating what type of email provider they are using; it is submitting an email to a company's "info" email or subscribing to their "newsletters". Merely waiting for an email from the actual organization can lead you to know exactly what email provider they are using. How? Email-header forensics! We can leave that for another blog post as well.
Once we have email targets, we can enumerate the login page for the specific organization. Under Azure, you can configure you "Company Branding". Some of these settings include background picture, banner logo, username hints, and sign-in page text. We can use this to truly mimic the login page for a target organization. It's just another way to trick users into moving quickly through their login process and hand over their credentials.
As seen below, compuquip.com has "Sign-in Page Text". As an attacker, we will make sure it is part of our phishing site. It's worth noting that going to login.microsoftonline.com and entering a valid email to enumerate the login page does generate any logging accessible for defensive teams. It's a business decision to have these "branding" technologies or not. One end, it personalizes the login experience for your users. On the other end, it's another mechanism adversaries can use to deceive users.
Since we now have a decent idea our target company uses O365 and what the login page could look like, we can focus on creating an enticing login page to trick users. For the purpose of this blog, we're going to target jsmith@compuquip.com.
There are numerous open-source tools to serve the phishing site. For this demo, I'll use a simple PHP page on the O365 login page. This is not a realistic tactic but it serves its purpose for this demo. This PHP script will capture the password of the user that browses the site and submits their password. Reminder: This link can be emailed to your users. Once a user browses to the phishing site, that "user-training" (or lack-there-off) will come into place!
The actual phishing port is 443 (HTTPS) with some letsencrypt certificates. Defender note: always monitor for recently registered SSL certificates. Especially if they are signed by letsencrypt.
The page below will serve as the site users are redirected too when they click on the link within a phishing email. I am using compuquipcloud.com as the malicious domain simply because this is a domain we use for testing. Attackers can get creative with this. Notice "login.microsoftonline.com" is in the front. To the untrained user, they're going to provide quickly through the login page.
When users enter their password and submit to the phishing page ("Sign in"), their credentials are compromised. Their email: password combination belongs to the attackers. They can use these email password combinations to log in to the victims email account or leverage these credentials against company VPNs, other landing pages, etc. (password-reuse).
The entire attack chain can be described by the image below:
Speak to the experts at Compuquip on how you or your organization can remain above phishing scams and other threats that may be targeting your business. Contact us Today!