Log in to view details about your AARNet services, including usage reports
Log in to send files of any size, quickly and securely
Browse answers to frequently asked questions about our products and services
Check the current performance status for our services
Fast local access to popular international open-source content
Check to see if a web address is on-net
On July 11, the AARNet SOC observed a suspected phishing campaign involving indicators and techniques associated with public reporting of NOBELIUM threat actor activity impacting multiple customers across the sector.ad
The SOC has responded to a phishing incident, which appears to be part of a current campaign to steal Office 365 credentials. The threat actors are abusing a legitimate advertising domain to redirect users to a fake Office 365 landing page.
The domain being abused has previously been seen in widespread phishing campaigns by the threat actor NOBELIUM and the activity observed by the SOC shares some similarities with this campaign.
In the instance that users have been identified as targeted by this campaign, separate notifications have been provided directly.
The primary indicator observed which is used to redirect the user to a secondary domain is:
r20[.]rs6[.]net/tn[.]jsp
The rs6[.]net domain is legitimate advertising tracking service that has an open redirect which the threat actors are abusing. A legitimate use of this service looks like:
hxxps[:]//r20[.]rs6[.]net/tn[.]jsp?f=00116otckuqahhkygw9y4n0fklcsxewakbrdk1zz-vyrplcq4qyyd5bauo691441mgsgtwzqv57pwaz1wj5ql_6lqznrtquat4wzfxzz1soaezt5bvlggqrvbem9pu9b7gl-wwmb0cacmvrf03urkov1vdklxh61gc_ebtlsv7ypskjwr4w0a6wtt-9gcowi-udwyokjoa07hwseyod5tffma==&c=twgavcpbsfqk0rsxoqphizokaia2cfg1agbnr0iwm_azf6bks7ji0q==&ch=0owdmrpqgkf8ub36siqnctqctyty6ixr4gpccbzyinrzoi1im8ftdq==
Compared to a URL confirmed as malicious (sanitised to remove identifying information):
hxxps[:]//r20[.]rs6[.]net/tn.jsp?t=3XXXXXX54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=hxxp[:]//2FXXXXX[.]bypsklo[.]com?e=XXXXXX[@]XXXX[.]edu[.]au
When used maliciously, this appears to redirect to a secondary domain and a seemingly randomly generated subdomain. These are suspected to be compromised webhosts and only respond to requests they are expecting that contain valid data in the request, e.g. an expected email address.
This secondary domain then performs another redirect to a third domain, which then (in some circumstances) appears to be serving a O365 phishing page.
This secondary domain also requires valid data as described above.
As this domain appears to be a legitimate advertising/user engagement tracking service, that this malicious abuse is very difficult to detect and the actors behind this campaign have gone to great lengths in an attempt to ensure that this campaign was not identified.
Other Customers (with Mimecast) are attempting to bulk decode these URL's to identify the potential malicious URL's, we will keep you updated with this progress.
The AARNet SOC will continue to monitor any impacted users and hosts. A full list of indicators observed has been shared via our CTI (cyber threat intelligence) sharing partners.
Authors: Chris Wilson, AARNet Security Analyst, and Daniel Wilson, AARNet Security Engineer