Description

The SOC has responded to a phishing incident, which appears to be part of a current campaign to steal Office 365 credentials. The threat actors are abusing a legitimate advertising domain to redirect users to a fake Office 365 landing page.

The domain being abused has previously been seen in widespread phishing campaigns by the threat actor NOBELIUM and the activity observed by the SOC shares some similarities with this campaign.

In the instance that users have been identified as targeted by this campaign, separate notifications have been provided directly.

Behaviours Identified

The primary indicator observed which is used to redirect the user to a secondary domain is:

r20[.]rs6[.]net/tn[.]jsp

The rs6[.]net domain is legitimate advertising tracking service that has an open redirect which the threat actors are abusing. A legitimate use of this service looks like:

hxxps[:]//r20[.]rs6[.]net/tn[.]jsp?f=00116ot­ckuqahhky­gw9y4n­0fklcsxe­wakbrdk1zz-vyrplcq­4qyyd5ba­uo69144­1mgsgtwzqv­57pwaz1wj5ql_­6l­qznrtquat4wzf­xzz1soaez­t5bvlg­gqrvbem9pu9b7gl-wwmb0­cacmvrf0­3urkov1vdk­l­xh61gc_ebtlsv7y­pskjwr­4w0a6wtt-9gcowi-udwyokj­oa07hwseyod­5tffma==&c=twgavc­pbsfqk0rsxoqp­hizokaia2c­fg1agbnr0iwm_a­zf6bks7ji0q==&ch=0ow­dmrpqgkf8u­b36siqnc­tqctyty6ix­r4gpccbzyinr­zoi1im8ftdq==

Compared to a URL confirmed as malicious (sanitised to remove identifying information):

hxxps[:]//r20[.]rs6[.]ne­t/tn.jsp?t=3XXXXXX54­ab.0.0.sqy9yutab.0&1d­=preview&r=3&p=­hxxp[:]//2FXXXXX[.]bypsklo­[.]com?e=XXXXXX­[@]XXXX[.]edu[.]au

When used maliciously, this appears to redirect to a secondary domain and a seemingly randomly generated subdomain. These are suspected to be compromised webhosts and only respond to requests they are expecting that contain valid data in the request, e.g. an expected email address.

This secondary domain then performs another redirect to a third domain, which then (in some circumstances) appears to be serving a O365 phishing page.

This secondary domain also requires valid data as described above.

As this domain appears to be a legitimate advertising/user engagement tracking service, that this malicious abuse is very difficult to detect and the actors behind this campaign have gone to great lengths in an attempt to ensure that this campaign was not identified.

Other Customers (with Mimecast) are attempting to bulk decode these URL's to identify the potential malicious URL's, we will keep you updated with this progress.

Microsoft Security Blog Post

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

Recommendations

• Block the r20[.]rs6[.]net domain using network or EDR controls
• Reset passwords of users who are suspected to have accessed the fake Office 365 landing pages
• Scan these hosts
• AARNet SOC will create watchlists to monitor the impacted users and hosts
• The AARNet SOC will run additional searches for the users and hosts to hunt for additional suspicious behaviour

The AARNet SOC will continue to monitor any impacted users and hosts. A full list of indicators observed has been shared via our CTI (cyber threat intelligence) sharing partners.

Authors: Chris Wilson, AARNet Security Analyst, and Daniel Wilson, AARNet Security Engineer