A new phishing campaign which impersonates help desk software to try and steal login credentials from enterprise cloud services including  Microsoft Azure, Microsoft Dynamics and IBM Cloud has been observed in the wild.

As reported by BleepingComputer, the news outlet recently analyzed phishing messages from the campaign to find that they use similar wording to real IT helpdesk services while pretending to be from a site called “servicedesk.com”.

The emails used in the campaign imitate a “quarantined mail” notification, which are sent out by security products and spam filters, and asks the recipient to “release” messages stuck in the queue. While the address listed in the email makes it appear the message comes from “noreply@servicedesk.com”, the attackers actually sent their phishing messages through “cn.trackhawk.pro” which served as an intermediary domain.

In an effort to more easily bypass email filters, the service desk domain is used in both the from and received header of the campaign’s phishing emails. This means that the attackers either compromised servicedesk.com’s mail servers or they injected the text “Received: form servicedesk.com” into the header to appear more credible.

Enterprise cloud services

The cybercriminals behind this new phishing campaign used IBM Cloud Hosting, Microsoft Azure and Microsoft Dynamics to host their landing pages in order to make them appear more legitimate. Additionally domains hosted on Azure or IBM cloud also get free SSL certificates containing these companies’ names which also helps improve the campaign’s legitimacy.

After opening one of these phishing emails, a user will see two buttons labeled “RELEASE MESSAGES” and “CLEAN-UP CLOUD”. When a user clicks on one of these buttons, it will bring them to a legitimate Microsoft Dynamics 365 URL. This URL then redirects them to an IBM Cloud domain that is used to host the phishing landing page.

If a user enters a weak password, the landing page will give them a “wrong password!!” error. However, entering a long and complex password redirects the user to another fake page confirming the settings update host on Azure’s hosting domain, windows.net. This malicious page then redirects the user to a website called “axsharma.com”.

This new phishing campaign is particularly dangerous because once a user gives up their enterprise cloud credentials, an attacker can gain access to their organization’s corporate network.

Via BleepingComputer

Advantages of overseas domestic helper.