Hackers have found a clever new way to steal your Microsoft 365 credentials

News
By published

Static Web Apps are the latest weapon in the scammer arsenal

how to prevent phishing attacks
(Image credit: Unsplash)

Cybercriminals have started using Static Web Apps, an Azure service, in their phishing attacks against Microsoft 365 users.

Researchers from MalwareHunterTeam noted Static Web Apps have two features that are being abused with ease - custom branding for web apps, and web hosting for static content such as HTML, CSS, JavaScript, or images.

These features have been used by threat actors to host static landing phishing pages, the researchers are now saying. These landing pages look almost identical to official Microsoft services, with the company logo, and the Single SignOn (SSO) option that harvests Office 365, Outlook, or other credentials.

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Sneaky tactics

Reporting on the findings, BleepingComputer says using Azure Static Web Apps to target  Microsoft users is an “excellent tactic”, as each landing page gets its own secure page padlock in the address bar, due to the *.1.azurestticapps.net wildcard TLS certificate.

With such a TLS certificate, even the most suspicious of victims could be tricked.

It also makes the landing pages good for targeting users on other platforms and other email providers, as these victims could also be fooled by the fake security assurance of the legitimate Microsoft TLS certificate.

Usually, when a person is suspecting a phishing attack, they’d check the URL they’re being invited to click. Using Azure Static Web Apps renders this advice useless, as many will most likely be fooled by the azurestticapps.net, and think the identity is legitimate, the publication concludes.

> What is phishing and how dangerous is it?

> LinkedIn is becoming a paradise for phishing attacks

> Phishing attacks hit more businesses than ever last year

Azure Static Web Apps Microsoft’s tool that helps developers build and deploy full stack web apps to Azure, from a code repository.

Its key features include web hosting for static content like HTML, CSS, JavaScript, and images, integrated API support provided by Azure Functions, GitHub and Azure DevOps integration, globally distributed static content, free, automatically renewed SSL certificates, custom domains to provide branded app customizations, and other. 

Microsoft is silent on the matter, for the time being. 

Via: BleepingComputer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Fraude en ligne phishing
Phishing clicks nearly tripled in 2024 as criminals aim for smarter attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
A new Microsoft 365 phishing service has emerged, so be on your guard
Latest in Security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Latest in News
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
Snapdragon G Series
Qualcomm poised to muscle in on AMD's territory with powerful gaming handheld processors
More about security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X

A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek

Fake DeepSeek installers are infecting your device with dangerous malware
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar

Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
See more latest
Most Popular
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
Data center server room lit with green lights
Microsoft is MIA as Amazon, Meta, Google and others join consortium to triple nuclear energy output by 2050
Thrustmaster Sol-R flight stick
Thrustmaster announces the Sol-R 1 and Sol-R 2 HOSAS flight sticks designed for space sims like Elite Dangerous
Image of AC Shadows cover art &amp; Steam Deck
It's not perfect, but Assassin's Creed Shadows' performance is impressive - it runs smoothly on the Steam Deck and Asus ROG Ally
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
The new KontrolFreek Call of Duty Performance Thumbsticks on a purple background.
Exclusive: the new KontrolFreek Call of Duty Performance Thumbsticks Speed Cola Edition might be the coolest looking yet and come with a limited in-game item
David running in the desert in House of David.
Prime Video’s hit new historical drama will continue its reign for another season as House of David gets renewed
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years