New Phishing Campaign Targets Microsoft 365 Credentials


The new phishing campaign is aimed at American organizations in the military-defense sphere, the field of security software, as well as in the areas of production supply chains, healthcare and pharmaceuticals. The attackers are targeting Microsoft Office 360 and Outlook corporate credentials.

According to researchers from ZScaler, the new phishing campaign has tactics and methods similar to another campaign discovered in mid-2020.

Attackers use mail services in Japan to send their messages and substitute the sender’s address, pretending to be employees of the victim company.

Headers of scam emails

The emails contain an HTML attachment, the name of which uses a musical note symbol, masking the file as an audio message. In fact, the file contains obfuscated JavaScript code that transfers the victim to a phishing site.

The message used in the phishing campaign

The URL format is designed to give the impression that the site is an official subdomain of the company.

The process of generating a domain name

Before being on the site, the victim passes a CAPTCHA check, which actually serves to bypass anti-phishing systems. As soon as users pass this stage, they are redirected to a real phishing page that steals Microsoft Office 365 accounts.

The final phishing page

However, rather attentive users may notice that the domain of the login page does not belong to Microsoft and looks like this::

  • briccorp[.]com

  • bajafulfillrnent[.]com

  • bpirninerals[.]com

  • lovitafood-tw[.]com

  • dorrngroup[.]com

  • lacotechs[.]com

  • brenthavenhg[.]com

  • spasfetech[.]com

  • mordematx[.]com

  • antarnex[.]com

That is why, before entering a username and password, users should always check the site they are on, so as not to send data to intruders.