A successful spear phish deconstructed

This morning, I was just finishing my first coffee of the day, when I received an automated alert from Azure…

The majority of our users are based in the UK, so the location (“NL”) piques my interest. The company has infrastructure in the Netherlands, so it could be that. But the risk level… high. Hmm…

So, I do a quick whois and nslookup on the IP address 185.62.189.217

whois:

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '185.62.188.0 - 185.62.189.255'

% Abuse contact for '185.62.188.0 - 185.62.189.255' is 'abuse@blazingfast.asia'

inetnum:        185.62.188.0 - 185.62.189.255
netname:        BlazingFast
descr:          BlazingFast - A.S.A.S.S.U. Lda.
abuse-c:        BAL71-RIPE
org:            ORG-BAL8-RIPE
country:        NL
admin-c:        BMA202-RIPE
tech-c:         BMA202-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-BLAZINGFAST-MO
mnt-lower:      MNT-BLAZINGFAST-MO
mnt-routes:     MNT-BLAZINGFAST-MO
created:        2015-01-14T22:18:56Z
last-modified:  2018-10-29T21:39:16Z
source:         RIPE

organisation:   ORG-BAL8-RIPE
org-name:       BlazingFast - A.S.A.S.S.U. Lda.
org-type:       OTHER
address:        Av. de Almeida Ribeiro 99, Edifcio Nam Wah Commercial 9, MO
abuse-c:        BAL71-RIPE
mnt-ref:        MNT-BLAZINGFAST-MO
mnt-by:         MNT-BLAZINGFAST-MO
created:        2018-10-24T12:10:19Z
last-modified:  2018-10-24T12:10:19Z
source:         RIPE # Filtered

person:         BlazingFast MO Admin
address:        Av. de Almeida Ribeiro 99, Edifcio Nam Wah Commercial 9, MO
phone:          +85352331422
nic-hdl:        BMA202-RIPE
mnt-by:         MNT-BLAZINGFAST-MO
created:        2018-10-24T12:03:17Z
last-modified:  2018-10-24T12:03:17Z
source:         RIPE

% Information related to '185.62.189.0/24AS47674'

route:          185.62.189.0/24
origin:         AS47674
mnt-by:         MNT-BLAZINGFAST-MO
created:        2020-07-12T19:47:25Z
last-modified:  2020-07-12T19:47:25Z
source:         RIPE

% Information related to '185.62.189.0/24AS49349'

route:          185.62.189.0/24
descr:          BlazingFast - A.S.A.S.S.U. Lda.
origin:         AS49349
mnt-by:         BLAZINGFAST-MNT
created:        2015-10-09T16:35:05Z
last-modified:  2018-07-15T03:05:38Z
source:         RIPE

nslookup:

Server:		183.60.83.19
Address:	183.60.83.19#53

Non-authoritative answer:
217.189.62.185.in-addr.arpa	name = server.bossthraed.com.

Bossthraed? What’s that? blazingfast.asia? This doesn’t look normal. I check with the user whose account has potentially been compromised. They confirm they’re at home, in the UK, and haven’t been using their own VPN. Their account password is reset immediately, and although the company is still rolling out MFA to certain parts of the business, MFA is turned on for the user.

Total response time, 2 minutes 30 seconds. But this story doesn’t end here, now the investigation begins.

Findings

A quick rummage around in https://protection.office.com/unifiedauditlog, and I identify the malicious log in. Thankfully we caught this pretty quick, and other than the login, no data had been leaked.

I also find this email…

The email slipped past the usual Exchange rules, and landed in a users inbox. And despite all the phishing simulations we’ve done this year, the user didn’t spot the warning signs (the sender isn’t Microsoft, the subject identifies it as an external message, and the link on the Review button goes somewhere gnarly). Ugh, email.

Here’s the message header:

Received: from AM0PR05MB6818.eurprd05.prod.outlook.com (2603:10a6:20b:15f::15)
by DB7PR05MB5447.eurprd05.prod.outlook.com with HTTPS; Thu, 29 Oct 2020
09:51:00 +0000
Received: from AM6P191CA0086.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:8a::27)
by AM0PR05MB6818.eurprd05.prod.outlook.com (2603:10a6:20b:15f::15) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18; Thu, 29 Oct
2020 09:50:59 +0000
Received: from AM5EUR02FT027.eop-EUR02.prod.protection.outlook.com
(2603:10a6:209:8a:cafe::e0) by AM6P191CA0086.outlook.office365.com
(2603:10a6:209:8a::27) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18 via Frontend
Transport; Thu, 29 Oct 2020 09:50:59 +0000
Authentication-Results: spf=none (sender IP is 85.215.255.134)
smtp.mailfrom=michaelackerman.net; <!--snip!-->; dkim=pass (signature was
verified) header.d=spachus.de;<!--snip!-->; dmarc=none action=none
header.from=michaelackerman.net;compauth=pass reason=116
Received-SPF: None (protection.outlook.com: michaelackerman.net does not
designate permitted sender hosts)
Received: from mo4-p05-ob.smtp.rzone.de (85.215.255.134) by
AM5EUR02FT027.mail.protection.outlook.com (10.152.8.127) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3520.15 via Frontend Transport; Thu, 29 Oct 2020 09:50:59 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1603965059;
s=strato-dkim-0002; d=spachus.de;
h=Date:Subject:Reply-To:To:From:Message-Id:X-RZG-CLASS-ID:X-RZG-AUTH:
From:Subject:Sender;
bh=EjQmVnOUzrgYpMqicenCm10Nvix1MunVEVTe0W2E9cE=;
b=X0CFiKO/db5T80LhU4jrESmbFcf+BTmEM8EJhM2585erEhkQ24sBTFWCSG0ya9Q3/z
QHgZ1idyvHwFDRHCUkyDkaOd0KfH0f38fmktgYPzE//+SXTfbN2e6NJZwnB/JNE5L43D
iWdZslqrlzKLW7IpidHU6c5lslmFqzTyjS3PysPAcYPa4wtckDZh41yqrNNwk7EoGNEm
1I2GbUe+RZzvxNfbc+znT+rB5kK4/jZ2osfy3IXI6/weQ384F6PJf2UF7XfRYDqpUwoD
lAODR0CFAYKMbEaHgfjCBMSayJDclbIstWA4m5vRsR20HVmtin7cLra283ToMHJHw/E+
eoLw==
X-RZG-AUTH: ":JWICemC7a/5U8eq5jOF46tPnXke55gwUPQqtw1ND5lFflsZSd1JOWpqtaI11bXg="
X-RZG-CLASS-ID: mo05
Received: from [10.50.0.26]
by smtp.strato.de (RZmta 47.3.0 AUTH)
with ESMTPSA id e04568w9T9oo16n
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
(Client did not present a certificate)
for <<!--snip!-->>;
Thu, 29 Oct 2020 10:50:50 +0100 (CET)
Message-Id: <BPBRKZNF-P4EU-1270-D8Z4-3W8F7W5VMJ5N@michaelackerman.net>
From: <!--snip!--> Notification <mail@michaelackerman.net>
To: <!--snip!--> <<!--snip!-->>
Reply-To: tijana.milojevic@fiscal-solutions.com
Subject:
=?utf-8?B?KyBFeHRlcm5hbCBtZXNzYWdlICsgcmljaGFyZC5qb25lcyDigJQgRGlnZXN0?=
=?utf-8?Q?__Summary_Thursday,_October_29,_2020_?=
Date: Thu, 29 Oct 2020 10:51:03 +0100
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-Path: mail@michaelackerman.net
X-MS-Exchange-Organization-ExpirationStartTime: 29 Oct 2020 09:50:59.4623
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
f2273d9a-62cf-48ce-0f70-08d87bf023b9
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: cfec0123-a003-432e-b90d-60448e4816ce:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource:
AM5EUR02FT027.eop-EUR02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: f2273d9a-62cf-48ce-0f70-08d87bf023b9
X-MS-TrafficTypeDiagnostic: AM0PR05MB6818:
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-Oob-TLC-OOBClassifiers: OLM:12;
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-Forefront-Antispam-Report:
CIP:85.215.255.134;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mo4-p05-ob.smtp.rzone.de;PTR:mo4-p05-ob.smtp.rzone.de;CAT:NONE;SFS:(4636009)(2616005)(4743002)(36756003)(6916009)(45080400002)(298455003)(22186003)(336012)(26005)(1096003)(2160300002)(5660300002)(166002)(4744005)(19627405001)(7636003)(7596003)(33656002)(6666004)(58800400005)(356005)(40265005)(86362001)(53540200001);DIR:INB;
X-MS-Exchange-Safelinks-Url-KeyVer: 1
X-MS-Exchange-ATPSafeLinks-Stat: 0
X-MS-Exchange-ATPSafeLinks-BitVector: 1000:0x0|0x0|0x1000;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Oct 2020 09:50:59.3953
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f2273d9a-62cf-48ce-0f70-08d87bf023b9
X-MS-Exchange-CrossTenant-Id: cfec0123-a003-432e-b90d-60448e4816ce
X-MS-Exchange-CrossTenant-AuthSource:
AM5EUR02FT027.eop-EUR02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR05MB6818
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.1066126
X-MS-Exchange-Processed-By-BccFoldering: 15.20.3477.032
Importance: high
X-Priority: 1
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(20160514016)(750128)(520011016)(944506458)(944626604);
X-Microsoft-Antispam-Message-Info:
=?utf-8?B?Sm5PajZYTEIyVU1vMW9Rd3ZFNmc3WUpWRjFnaGlXVVFBazh3Wm9CL1EvZnF4?=
=?utf-8?B?UGFSak4zNk1HNHE4OFlWM0V0VlIwZFk2ZHg3VUNSQmRjSEZkcGF2L1E0TGdW?=
=?utf-8?B?S251MVpwcVlEc0xlUlFTcnBnblYwWldSR050Nk0vVGxPa1p5OGZlOTBUS3Vi?=
=?utf-8?B?bGUyUk9Fa0IxaDFVdTJZTDVjQUo4bEtwb3NDNDVORlBUUUc4MkhZMUQ1UzFu?=
=?utf-8?B?QlpRcVRBckNaU0VKOUFjZmtDbzg5L29iZUVySDNJUGpIb0ZDaTlrenNTYUtR?=
=?utf-8?B?dDFMamROR25tWVJYYXE3MEFMUnJrKzdjTEIraXpiRkpHa202aDIwOG4rNFZD?=
=?utf-8?B?blZ3c2xOWmx3R2d5TVprQXBBRjdHaUtVV0tObkprNmRHQUdKMXI5ZzdMSUhv?=
=?utf-8?B?Sm5CMEtUb0tTZnN1amVZUW45REVWR202SDRZRUJ0R3pkbldWeEJUeDkrZ3ow?=
=?utf-8?B?bGJwQ3g4YzJiQzNwUjRCR2JmUFBQY0FpSmlQeG5VUk9hbmtDcElqM3RNR0g3?=
=?utf-8?B?RURETUorZTRSS1RDKzFtZmRGZ0QyUllIb2ROOGc5QW9HeFhxOUVqYXczY0lu?=
=?utf-8?B?SUNIbk5laGoybmtTditWQS8xMVZIN29YNFRET1dydmN5d1NoYXJyMXpRVGI2?=
=?utf-8?B?Wk5pNlRCckpXcC9zQkRzdGRtSnFZWDF6QnRNMDFPdUNLR2phS3BmcjdiSGpM?=
=?utf-8?B?UUJhdE4wdExQdHZEcmI0VDNrSW03OGRMYVRjeWRTdUV5emlzeGJTL2ZTSHRG?=
=?utf-8?B?YWVvMVZyOEozNlhFMENpSStvZFZINWdxSkZTaC8vRUVlOVZLM0UzQ1U2Ylc4?=
=?utf-8?B?bUs2Y3grMEdqbmwwSCs0dkxId3RNUnppMGpjb3pPZHlua1E5V204blhDRkxo?=
=?utf-8?B?MUpXQ0Z0NWR2YVhPMGZiVWJ4SjUzdnBLUTlDTnljakNnQlc0ZFhKVTlBWTVp?=
=?utf-8?B?ZGZVVEQzYjBJVGNOQzZIUWZ5YmxuMXRJc2FaL3MyTDFTc2JkMjZnL0VmMmpX?=
=?utf-8?B?Zyt2WDFBY1ZKTDFvNUZWYThxMEVjbzNHdlk2Q3g5OFhFL25aQmdxeDF6eEdZ?=
=?utf-8?B?UTNhZmVxWUxmY0swNVArejVQOHp1UGg0d1hQQTQvOHlzMGZ4TWE0aHg0RkJB?=
=?utf-8?B?UzlwZlJ1MUt6VllrSTBmcHpLN0t6MktLemdDSFB5YVdKcGp5eFljdEZKd0Q0?=
=?utf-8?B?ZTh2aThrVExEOUJtT016cVo0N1JwTDh6RnFrN3RVK3FIY3lCTmZDTHRYUDVO?=
=?utf-8?B?SnB4SGc3cGhwRjZyU2c0RzhyN2g1ajRxc1g0LzVlV1lBNjErdWVaN2ErQU00?=
=?utf-8?B?citWTWR5N3JsY1lOTDBnbTNKY0pKeTJqaE55L3ZiOWI1NHRBU2hSYkliOGtF?=
=?utf-8?B?bVJxdG1aOTFEVFJLdW1GWW9UcDh5OVNUR3pOcGF0SGROV2hpY1RUSFRwVnd3?=
=?utf-8?B?UHE3Kzl2TGxJVTVzSkd0NVlEY3UxRFZPdUhpbFpzWWx0L2gzVlJIaFE1K1lm?=
=?utf-8?B?dFdHakdzcEROb0poL2VHbWNaNXVDejMrMElhNnF6bm1OK1NZYnkzcHJla2x3?=
=?utf-8?B?TTVtanV0TTNwYmdZaFhyelVCQ1RXU3ptenJpOWN3VW01MUVqalFTYkJxWGpt?=
=?utf-8?B?Zi9DYjYrVFZmM0RRaXlMckFnRjJZRHI5QjIvLzA2SlVRRDY2UlBNNnR1ZDcy?=
=?utf-8?Q?hM6K/8csKzdhSGrH/NvT?=

So where does that Review button go? Microsoft encodes all URLs in emails, to try and weed out the malicious ones. Without success, this time -

https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nexxt.com%2Fcommon%2Ftrack%2Ftrackgeneral.asp%3Ftcid%3D106ttid%3D2cid%3D146408910emid%3D18977%26tv1%3DUnsubscribetl2%3D3Dsdtv2%3D30200224%252B14%3A08bydal%3Dtruesid%3DEFC4BF1A-2DD6-4735-A7FC-6285ED6C4AACintsti%3D%26red%3Dhttps%3A%252F%252Flogin-microsoft.website%25E2%2580%258B.yandexcloud.net%2523bob%40bob.com&data=04%7C01%7Cbob%40bob.com%7Cf2273d9a62cf48ce0f7008d87bf023b9%7Ccfec0123a003432eb90d60448e4816ce%7C0%7C0%7C637395618603947788%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=69wfRENHcghddWvFUuCwNOCtA6YyvoYRSZqc6AGXiJE%3D&reserved=0

URLdecoded:

http://www.nexxt.com/common/track/trackgeneral.asp?tcid=106ttid=2cid=146408910emid=18977&tv1=Unsubscribetl2=3Dsdtv2=30200224%2B14:08bydal=truesid=EFC4BF1A-2DD6-4735-A7FC-6285ED6C4AACintsti=&red=https:%2F%2Flogin-microsoft.website%E2%80%8B.yandexcloud.net%23bob@bob.com&data=04|01|bob@bob.com|f2273d9a62cf48ce0f7008d87bf023b9|cfec0123a003432eb90d60448e4816ce|0|0|637395618603947788|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000&sdata=69wfRENHcghddWvFUuCwNOCtA6YyvoYRSZqc6AGXiJE=&reserved=0

Hmm, where have I seen that URL format before? Gophish. www.nexxt.com redirects me to:

https://login-microsoft.website.yandexcloud.net/#bob@bob.com

But there’s something clever happening here. Watch what happens when I change bob@bob.com (my made up test email address), to bob@microsoft.com…

Here’s another example:

When you’re required to authenticate with Microsoft, you enter your email address first, and the password page is branded with your company logo and background image. It’s supposed to help users distinguish their company login page from a phishing attempt.

But, the fake page at login-microsoft.website.yandexcloud.net makes a call to https://qteysgg.xyz/office%20phase%20one/call.php?u=bob@microsoft.com which provides links to the users company logo and background…

Data returned by qteysgg.xyz

…so the fake page at login-microsoft.website.yandexcloud.net looks just like the real login, except for the ugly URL in the address bar. Sneaky!

Any credentials entered by an unsuspecting user are slurped up by a POST to https://qteysgg.xyz/office%20phase%20one/process.php and the validity tested. I’ve not tried it with valid credentials, obviously, but that’s what our audit log indicates..

Anyway, if you made it this far, thanks for reading.