Azure Blob Storage phishing attack impersonates Microsoft. Although phishing attacks can often be quite believable, some more tech savvy users recognise something isn’t right when they see that the login form is unsecured or the SSL certificate doesn’t match the company being impersonated.
However, there is a new phishing attack that stores their phishing form on Azure Blob Storage, so that it is secured by a Microsoft SSL certificate, giving an air of legitimacy to its victims. The phishing attack is an Office 365 based attack.
Azure Blob storage is a service that allows for storing large amounts of unstructured object data, such as text or binary data. This data can then be accessed anywhere in the world using HTTP or HTTPS. When the user connects via HTTP or HTTPS, a SSL certificate will be displayed, making it difficult for even competent users to tell it’s a phishing attack.
Cloud security provider Nekskope recently discovered this method being used. The attackers have been sending victims emails with a PDF attachment that pretend to be from a law firm in Denver. The attachments are innocently named “Scanned document. Please review” and contains a button to download the PDF. When the target clicks on the button they are brought to a HTML page masquerading as an Office 365 login form. The URL may trigger some savvy users to be suspicious, but the SSL may be enough to convinced them that this is a secured and legitimate Microsoft site.
Once Clicked on the “Download PDF”button, you are presented with message that the document is trying to connect to Azure blob storage
In order to protect yourself from this type of attack Netskope advises that companies would properly educate their users to recognise non-standard URL addresses. If users could easily recognise the legitimate address and be suspicious of any change in the web address then they would be less likely to fall victim to this type of phishing scam.