Microsoft-Themed Phishing Attack Targets Executives Using Fake Google reCAPTCHA Technique

ThreatLabZ, the Zscaler threat research team, recently observed a new series of Microsoft-themed phishing attacks aimed at senior-level employees at multiple organizations. The Zscaler cloud has blocked over 2,500 of these phishing attempts over the last three months. The attack is notable for its targeted aim at senior business leaders with titles such as Vice President and Managing Director who are likely to have a higher degree of access to sensitive company data. The aim of these campaigns is to steal these victims’ login credentials to allow threat actors access to valuable company assets. 

Attacks have been spread across a range of industries, with the heaviest activity in the banking and IT sectors. We are unable to attribute these attacks to any particular threat actor at this time.

In these attacks, victims receive what appears to be automated emails from their unified communications tools indicating that they have a voicemail attachment. When they click the attachment, victims encounter a fake Google reCAPTCHA screen, and then are directed to what appears to be a Microsoft login screen, allowing threat actors to steal their login credentials. The phishing pages are hosted by using .xyz, .club and .online generic top level domains (TLDs).

Fig 1: The phishing hits observed in our Zscaler cloud over eleven weeks (.xyz, .club and .online)

ThreatLabZ discovered these phishing URLs in our Threat Intelligence framework, and additionally received several submissions to the ThreatLabZ URL risk analyzer tool. Similar phishing campaigns utilizing fake Google reCAPTCHAs have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020.

In this blog, we break down the full attack cycle of the Microsoft phishing campaigns hosted using the .xyz, .club and .online generic TLDs, and include a full list of the phishing domains that were observed. We have also included a chart breaking down the number of attacks by industry and by title to shed more light on the impact of this campaign.
 

.xyz TLD phishing campaign:

In the .xyz TLD phishing attacks, threat actors send a spam email addressed from a unified communications system with an attached HTML file that is purported to be a voicemail message.

Fig 2:The spam mail with HTML file attachment.

The following figure shows the content of the HTML file with a phishing URL server[.]mvmail365office[.]xyz.

Fig 3: The source code of the attached HTML file vmail-219.HTM.

Once the victim opens the attached HTML file, it redirects the user to the .xyz phishing domain which is disguised as a legitimate Google reCAPTCHA page in order to trick the users.

Fig 4: The fake Google reCAPTCHA page.
 

Fig 5: The source code of the fake Google reCAPTCHA page.

Once Google reCAPTCHA “verifies” the user, it redirects the user to the fake Microsoft login phishing page.

Fig 6: The fake Microsoft login screen.

Fig 7: The actual content of the fake Microsoft phishing page.

After giving the login credentials, the phishing campaign will show a fake message that says “Validation successful.” Users are then shown a recording of a voicemail message that they can play, allowing threat actors to avoid suspicion.

Fig 8: The fake Microsoft account validation page.

Fig 9: The post-infection traffic captured in Fiddler.

Fig 10: Fake voice message directed from the phishing campaign.

Fig 11: The overall web traffic of the Microsoft phishing campaign captured in Fiddler.

.club TLD phishing campaign:

Similar to the .xyz TLD campaign, the .club TLD phishing campaign begins with the attackers sending spam mail with an attached HTML file addressed from a unified communications system. It then follows with a fake Google reCAPTCHA, fake Microsoft login screen, and ends by showing the user a hosted .PDF file.

Fig 12:The spam mail with attached HTML file ATT34698.HTM.

The following image shows the obfuscated content of the attached HTML file.

Fig 13: The obfuscated content of the attached HTML file.

Fig 14: The de-obfuscated content of the HTML file with the phishing URL.

In this instance, the hosted phishing campaign used the domain volp[.]makersvlib[.]club with the fake Google reCAPTCHA method.

 

Fig 15: The fake Google reCAPTCHA page uses the .club TLD domain.

Fig 16: The fake Microsoft phishing campaign volp[.]makersvlib[.]club.

Fig 17: The fake PDF file hosted displayed post credential theft.

 

Fig 18: The overall web traffic of the hosted phishing campaign using .club TLD domain.

 

.online TLD phishing campaign:

In the .online phishing campaign, the threat actors send users a PDF file with the attached phishing campaign link secure[.]nealrose-lawofficerecords[.]online along with a directive that says “REVIEW SECURE DOCUMENT.” Once the user clicks the file, they are redirected to a fake Google reCAPTCHA followed by a fake Microsoft login screen; post-compromise they are redirected to a Google.com search page.

Fig 19: Spam PDF file redirects to the phishing campaign secure[.]nealrose-lawofficerecords[.]online

Fig 20: The fake Google reCAPTCHA page uses the .online TLD domain.

Fig 21: The fake Microsoft phishing campaign(secure[.]nealrose-lawofficerecords[.]online).

Fig 22: The final destination page (Google.com) after compromise.

Fig 23: The overall web traffic of the hosted phishing campaign using .online TLD domain

 

Conclusion

The Zscaler cloud blocked more than 2,500 targeted Microsoft-themed phishing attacks over the past three months that were hosted using the generic TLD (.xyz, .club, .online) domains. 

The following diagram represents the top industries targeted by this phishing campaign, based on ThreatlabZ analysis:

Fig 24: Percentage of detected phishing hits observed by industry in the Zscaler cloud.

 

Fig 25: Here is the distribution of the targeted employee designations.

 

IOCs:

.xyz TLD phishing domains:

a-bl[.]xyz

a-cl[.]xyz

a-it[.]xyz

a-ll[.]xyz

a-rt[.]xyz

aouthsmm[.]vmvoicepss[.]xyz

ay[.]tarr0-trubg4[.]xyz

b-ic[.]xyz

b-on[.]xyz

b-oy[.]xyz

b-ut[.]xyz

bh[.]voxxx-vog[.]xyz

bm[.]vpm-vpx[.]xyz

bm[.]xoxi[.]xyz

bo[.]gi9ygh-gko[.]xyz

c-ad[.]xyz

c-hi[.]xyz

c-sv[.]xyz

c-tl[.]xyz

c-ut[.]xyz

cn[.]c7no-l3onr[.]xyz

connect[.]linktechonline[.]xyz

cu[.]b0t3ion-nplus[.]xyz

d-cj[.]xyz

d-ol[.]xyz

db[.]mscall[.]xyz

df[.]sfrf0d-ffdf8[.]xyz

dh[.]xoxi[.]xyz

e-pl[.]xyz

e-rl[.]xyz

e-xp[.]xyz

e-xt[.]xyz

e-ye[.]xyz

emouths[.]southsvm[.]xyz

en[.]g-ts[.]xyz

en[.]s-ir[.]xyz

evmoises[.]axvoipsee[.]xyz

evoipses[.]vmvoicepss[.]xyz

f-at[.]xyz

f-oc[.]xyz

f-yi[.]xyz

fox[.]gen-voicemh[.]xyz

gb[.]g-ta[.]xyz

h-en[.]xyz

h-jy[.]xyz

i-is[.]xyz

i-tt[.]xyz

ii-j[.]xyz

j-an[.]xyz

j-kj[.]xyz

j-oc[.]xyz

j-on[.]xyz

j-s1[.]xyz

j-ss[.]xyz

jk[.]voxxx-vog[.]xyz

l-it[.]xyz

m-lj[.]xyz

main[.]net-data[.]xyz

mh[.]vowvog[.]xyz

monsvm[.]dgomesx[.]xyz

mp[.]j-mi[.]xyz

ms-dn[.]xyz

msg[.]l-x[.]xyz

mu[.]op9co-sand9u[.]xyz

nnhousts[.]ovoicess[.]xyz

o-su[.]xyz

of-f[.]xyz

om[.]lo0d0-dom1[.]xyz

on[.]l-x[.]xyz

open[.]weprotect[.]xyz

ot[.]bk9hd-ghfi[.]xyz

outhes[.]kmaouths[.]xyz

outhsome[.]svoipse[.]xyz

ov[.]j4hm-i3lbad[.]xyz

p-ai[.]xyz

p-gd[.]xyz

p-kg[.]xyz

p-ra[.]xyz

qwerty[.]casaholic[.]xyz

r-al[.]xyz

r-im[.]xyz

rm[.]vioce[.]xyz

rr[.]fol1-dus0[.]xyz

s-c-srv[.]xyz

s-vl-srv[.]xyz

s-vr[.]xyz

sa[.]n7go-son9[.]xyz

secure[.]weprotect[.]xyz

serv[.]vmail0ffice365[.]xyz

server[.]latvoice365[.]xyz

server[.]mvmail3650ffice[.]xyz

server[.]vmail0ffice365[.]xyz

server[.]vmilogg365[.]xyz

server[.]vmilogger365[.]xyz

server[.]voipvmi365[.]xyz

service[.]linktechonline[.]xyz

service[.]techfirmonline[.]xyz

servnet[.]vmilogg365[.]xyz

servnet[.]voicelineo365[.]xyz

servnet[.]voipo365vm[.]xyz

smouths[.]xvomess[.]xyz

southssm[.]dgomesx[.]xyz

ss[.]jan-4anu[.]xyz

ss[.]kss90-csmi8[.]xyz

sv[.]j-ss[.]xyz

svoipses[.]xvomess[.]xyz

t-wo[.]xyz

th[.]goli90-byx[.]xyz

ty[.]ety3-gyih[.]xyz

v-at[.]xyz

v-jz[.]xyz

vc[.]j-ml[.]xyz

vm[.]creek-nell[.]xyz

vm[.]lookhere-now[.]xyz

vmaxs[.]xvbouses[.]xyz

vmhomes[.]xvomess[.]xyz

vmhomses[.]svoipse[.]xyz

vmhosmm[.]svousnom[.]xyz

vmouses[.]xvbouses[.]xyz

vmouths[.]hotvoiss[.]xyz

vn[.]mack-reck[.]xyz

vn[.]under-cove[.]xyz

vnmouths[.]kmaouths[.]xyz

voipses[.]axvoipsee[.]xyz

vu[.]trf68oo-gh7[.]xyz

vu[.]vrte[.]xyz

vv[.]0bot3-kali[.]xyz

vvousokes[.]xvoicses[.]xyz

www[.]en[.]g-ts[.]xyz

x-ac[.]xyz

xo[.]gen-voicemh[.]xyz

xx[.]ko3-s0nius[.]xyz

z-am[.]xyz

zh-o[.]xyz

zomouths[.]otlcvoce[.]xyz

 

.club TLD phishing domains:

authentication[.]vmclouds[.]club

d-at[.]club

docc[.]mancvoicedoc[.]club

dq[.]dingvoizs[.]club

evoipses[.]xvoisesx[.]club

h-at[.]club

i-at[.]club

l-at[.]club

nomailses[.]xvoisesx[.]club

ox[.]din4-h0nt[.]club

p-at[.]club

sh[.]dingvoizs[.]club

t-at[.]club

volp[.]hukslert[.]club

volp[.]makersvlib[.]club

volp[.]volssbalert[.]club

vvmails[.]xvoisesx[.]club

xx[.]vam-gij[.]club

 

.online TLD phishing domains:

app[.]lawofficeneal[.]online

app[.]nealrose-lawoffices[.]online

files[.]lawoffice-nealroseberg[.]online

files[.]lawofficesof-nealrose[.]online

secure[.]lawoffices-of-neal[.]online

secure[.]nealrose-lawofficerecords[.]online

secured[.]lawfirmnearl[.]online

secured[.]rosellawassocciates[.]online