Full Report
Disclaimer - Curated Intelligence is a private trust group and members are able to publish their research under our banner without it being attributed to them. We thank our members for their contribution.Members of Curated Intelligence have recently tracked a new global credential harvesting campaign targeting Microsoft accounts. This latest wave of phishing attacks masquerade as ‘shared document’ notification emails which deliver an embedded URL. If clicked, it leads to a fake Adobe Document Cloud application login page to harvest credentials for Outlook and Office 365. Many countries were targeted in this campaign; however, the US and the UK have seen most of the targeting, followed by the Netherlands. Other targets possibly include Germany, France, Sweden, Portugal, Spain, Italy, India, Australia, Belgium, Slovenia, Poland, Chile, Norway, Romania, Canada, Turkey, Singapore, Japan, and Hong Kong. The campaign is believed to have been delivered via a range of phishing emails that have varied in content depending on the target. Some emails requested that the user visit a landing page to view an “encrypted”, “scanned”, or “faxed” document (see Fig. 1). These initial links commonly used the Cloudflare content delivery network (CDN) workers[.]dev to evade anti-phishing detection systems.Fig. 1 – Example of a Phishing email template sent in this campaign Throughout this campaign, Curated Intel analysts identified that part of the infrastructure was deliberately tailored to its targets. This shows the threat actors had likely researched their targets before conducting launching phishing emails against specific targets from a predetermined list. The embedded URL in the phishing emails redirect users to a convincing web application, often delivered via another third-party CDN. The application was designed to trick the user into thinking they were logging in to the Adobe Document Cloud application. However, it collects and exfiltrates any login credentials entered by the user before redirecting them to the genuine ‘login.microsoftonline.com’ URL.Fig. 2 – Credential stealing Adobe Document Cloud-themed landing pageWhat was notable about this campaign to Curated Intelligence analysts was that it had largely reused the same infrastructure for redirection links and to host landing pages. This includes “share[.]sender[.]net”, “worker[.]dev”, and “erpnext[.]com” hostnames. Over the course of a six-month period, Curated Intelligence analysts observed up to 134 unique URLs. There are almost certainly many more URLs related to this campaign, that were not identified by Curated Intelligence. There was one common artefact about this campaign that enabled Curated Intelligence analysts to track this wave of attacks: the Firebase site “runn1rnl8xzmqeh0kvov[.]web[.]app” that was used for data exfiltration. This Google Firebase site was present in all the fake Adobe Document Cloud landing pages. Curated Intelligence reported the main Google Firebase site, along with our research, to the UK’s National Cyber Security Centre (NCSC) for enforcement action.This campaign was traced back to at least August 2021 and has targeted organisations from a variety of industry verticals. The graphs below (see Fig. 3 and Fig. 4) show distribution of phishing targets based on industry vertical and by country the organisation is based. Fig. 3 – Phishing targets per industry verticalFig. 4 – Phishing targets per countryThe threat actor behind the attacks must have had access to considerable resources due to the sheer breadth of the infrastructure used and the effort taken to stand it up. It is believed that the threat actor behind the campaign is a cybercriminal group aimed at business email compromise (BEC) for financial gain. The size of the infrastructure used in this campaign, however, does show considerable effort and resource. Curated Intelligence analysts also identified that many of the organisations targeted in this campaign were small to medium upstream suppliers to critical national infrastructure. If compromised successfully, these could potentially be used by these threat actors as a foothold from which more significant organizations may be targeted.Indicators of Compromise (IOCs)Data Exfiltration site:runn1rnl8xzmqeh0kvov[.]web[.]appAbused Legitimate Services: share[.]sender[.]networkers[.]deverpnext[.]comonedrive[.]live[.]com1drv[.]msPhishing URLs:Cloudflare Workers phishing linkshxxps://adobe-cloud[.]secured-document[.]workers[.]dev/hxxps://adobe-owas-forest-40ff[.]sofsusjolmngung[.]workers[.]dev/hxxps://auth10-services-adobe-creativecloud[.]authcloud[.]workers[.]dev/hxxps://autumn-waterfall-48b2[.]purchase-doc-blliblju[.]workers[.]dev/hxxps://bitter-rice-cd6b[.]document-write-inv[.]workers[.]dev/hxxps://bitter-shadow-cf82[.]document-protections[.]workers[.]dev/hxxps://cloud[.]asset-documeeent[.]workers[.]dev/hxxps://docs-dew-6406[.]retupamyte[.]workers[.]dev/hxxps://docs-onlinsecurity-sun-6ac8[.]docsnetaseltic[.]workers[.]dev/hxxps://docs-verify-c671[.]thajetiase[.]workers[.]dev/hxxps://document[.]in-ouathh[.]workers[.]dev/hxxps://document[.]validation-ogg[.]workers[.]dev/hxxps://file[.]sheet-plugin[.]workers[.]dev/hxxps://floral-smoke-53e7[.]document-sharedds[.]workers[.]dev/hxxps://fragrant-rice-3226[.]document-shareds[.]workers[.]dev/hxxps://late-heart-722a[.]docs-coanyouamp[.]workers[.]devhxxps://lively-star-1117[.]document-signoauth[.]workers[.]dev/hxxps://lucky-fog-25e7[.]storage-document-inc[.]workers[.]dev/hxxps://mdqw[.]qttzjapy2802[.]workers[.]dev/usr[.]htmlhxxps://odd-field-9e1d[.]microsft-docs-foecisayant[.]workers[.]dev/hxxps://proud-sun-4c38[.]document-protections[.]workers[.]dev/hxxps://red-firefly-5986[.]document-beoent[.]workers[.]dev/hxxps://secure-document-2b67[.]adobedocument[.]workers[.]dev/hxxps://soft-morning-9a22[.]document-write-inv[.]workers[.]dev/hxxps://soft-resonance-15e1[.]document-inv3289[.]workers[.]dev/hxxps://still-adobe-sign-ce12[.]utkerdihed[.]workers[.]dev/hxxps://sweet-tooth-e24f[.]files-document-coeed[.]workers[.]dev/hxxps://wandering-butterfly-2d13[.]document-remit[.]workers[.]dev/hxxps://yuihkjnm[.]ck9xds6orx4552[.]workers[.]dev/Erpnext phishing linkshxxp://hayburysearch[.]erpnext[.]com/hayburyhxxps://3dlacrosse[.]erpnext[.]com/3d-lacrossehxxps://aainsla[.]erpnext[.]com/american-access-casualty-companyhxxps://advivo[.]erpnext[.]com/advivohxxps://afm-org[.]erpnext[.]com/the-american-federation-of-musicianshxxps://air-equipments[.]erpnext[.]com/air-equipmenthxxps://amcham[.]erpnext[.]com/american-chamberhxxps://amsysnl[.]erpnext[.]com/amsyshxxps://apollotheater[.]erpnext[.]com/apollo-theaterhxxps://avesqos[.]erpnext[.]com/avesqohxxps://aviapartners[.]erpnext[.]com/aviapartnerhxxps://balguard[.]erpnext[.]com/balguard-engineering-ltdhxxps://barcoenergy[.]erpnext[.]com/barco-energyhxxps://bebat-be[.]erpnext[.]com/bebathxxps://beyondkey[.]erpnext[.]com/beyondkey-past-dues-lnvoices-005421-c6951c1561b1a0baa3ce10024a0daafab34359352526download25&hxxps://bishopcleancare[.]erpnext[.]com/bishop-clean-carehxxps://bmspc[.]erpnext[.]com/bristol-metal-spraying-and-protective-coatings-ltdhxxps://brockskes-nl[.]erpnext[.]com/brockskeshxxps://brownsterlings[.]erpnext[.]com/brown-&-sterlinghxxps://cfao-fr[.]erpnext[.]com/the-cfao-grouphxxps://cmgt-org[.]erpnext[.]com/community-managementhxxps://crd-rr[.]erpnext[.]com/crd-rr-past-dues-lnvoices-005421-c6951c1561b1a0baa3ce10024a0daafab34359352526download25hxxps://crsteel[.]erpnext[.]com/capital-reinforcinghxxps://ctl-inc[.]erpnext[.]com/cory-tucker-&-larrowehxxps://divalco[.]erpnext[.]com/divalcohxxps://etcppt[.]erpnext[.]com/etcphxxps://eutect-de[.]erpnext[.]com/eutect-gmbhhxxps://fabricationsolutions[.]erpnext[.]com/fabrication-solutions-inchxxps://famsbrands[.]erpnext[.]com/fam-brandshxxps://fancypakbrand[.]erpnext[.]com/fancy-pak-brand-inchxxps://fpeseals[.]erpnext[.]com/fpe-sealshxxps://ghchospice[.]erpnext[.]com/ghc-hospicehxxps://heclanl[.]erpnext[.]com/heclhxxps://hplegal[.]erpnext[.]com/hammond-partnershiphxxps://ies-uk[.]erpnext[.]com/ieshxxps://intermat[.]erpnext[.]com/intermathxxps://invertedmusic[.]erpnext[.]com/hxxps://invertedmusic[.]erpnext[.]com/inverted-musichxxps://iskramehanizmi-si[.]erpnext[.]com/iskra-mehanizmihxxps://jacot-nl[.]erpnext[.]com/jacot-audiovisueelhxxps://jobasi-sa[.]erpnext[.]com/jobasihxxps://jsmltd-jp[.]erpnext[.]com/jsm-ltd?mc_phishing_protection_id=28048-c6nembf0s0v96ql4hen0hxxps://jtdinc[.]erpnext[.]com/tisdel-distributinghxxps://kis-no[.]erpnext[.]com/kishxxps://laborlawdenver[.]erpnext[.]com/labor-law-denverhxxps://leva-eu[.]erpnext[.]com/leva-euhxxps://linacservices[.]erpnext[.]com/linac-services-limitedhxxps://local802afm[.]erpnext[.]com/local-802hxxps://lrorg[.]erpnext[.]com/lloyd%27s-registerhxxps://lubinandenoch[.]erpnext[.]com/lubin-&-enochhxxps://madaluxes[.]erpnext[.]com/madaluxe-grouphxxps://migizigroup[.]erpnext[.]com/migizi-grouphxxps://mvpantarhei[.]erpnext[.]com/mv-panta-rheihxxps://neelevat[.]erpnext[.]com/-neele-vat-logisticshxxps://netchange[.]erpnext[.]com/netchangehxxps://nordtexts[.]erpnext[.]com/nordtexthxxps://nptwf[.]erpnext[.]com/nexperia-newporthxxps://nycallliance[.]erpnext[.]com/nyc-alliancehxxps://oceanwidecrew[.]erpnext[.]com/oceanwidehxxps://ohi-pt[.]erpnext[.]com/omni-helicopter-internationahxxps://petrotechinc[.]erpnext[.]com/petrotechhxxps://phantomchef[.]erpnext[.]com/phantom-chefhxxps://polytec[.]erpnext[.]com/polytechxxps://powerling[.]erpnext[.]com/powerlinghxxps://rieder-verdonck[.]erpnext[.]com/rieder-&-verdonckhxxps://rtff-ie[.]erpnext[.]com/rtff-business-services-ltdhxxps://sadiv[.]erpnext[.]com/sadivhxxps://safs-uk[.]erpnext[.]com/safs-ltdhxxps://savageengineering[.]erpnext[.]com/savageengineeringservices-past-dues-lnvoices-005421-c6951c1561b1a0baa3ce10024a0daafab34359352526download25hxxps://sb-international[.]erpnext[.]com/s-b-internationalhxxps://sfp-uk[.]erpnext[.]com/sfp-uk-limitedhxxps://slblarkhall[.]erpnext[.]com/ferwedafgartwgvdfvwgt4ghrwgrwethnrttryhyteehxxps://smc-pl[.]erpnext[.]com/smc-industrial-automation-polskahxxps://snovalley[.]erpnext[.]com/snovalleyhxxps://speedlinks[.]erpnext[.]com/speedlinkhxxps://telade[.]erpnext[.]com/teladehxxps://thoms-aviation[.]erpnext[.]com/thoms-aviationhxxps://tnmarine-nl[.]erpnext[.]com/true-north-marine-b[.]vhxxps://trescon[.]erpnext[.]com/3conhxxps://trinityavl[.]erpnext[.]com/trinity-avlhxxps://xmaxerox[.]erpnext[.]com/xma-technological-solutionsMS OneDrive phishing linkshxxps://1drv[.]ms:443/o/s!BFXzhgvUz7FEkw6-FODuiMdZoIQ4?e=iYFni00oxk2hGp3PE_Znsw&at=9hxxps://onedrive[.]live[.]com/redir?resid=EB60680693E79E45!324&authkey=!AN0n1unp39Prpvk&ithint=file%2cpdf&e=TvQQeeShare Sender phishing linkshxxps://share[.]sender[.]net/campaigns/2G8r/fileshxxps://share[.]sender[.]net/campaigns/2H1f/fileshxxps://share[.]sender[.]net/campaigns/2PDU/filesshxxps://share[.]sender[.]net/campaigns/2PXQ/messageshxxps://share[.]sender[.]net/campaigns/2QWO/documentssshxxps://share[.]sender[.]net/campaigns/2QZw/emailsssshxxps://share[.]sender[.]net/campaigns/2R1o/broadleafgamehxxps://share[.]sender[.]net/campaigns/2RUB/handlesafehxxps://share[.]sender[.]net/campaigns/2TCl/messagazsshxxps://share[.]sender[.]net/campaigns/2wqv/docshxxps://share[.]sender[.]net/campaigns/2yjh/fhjdhhxxps://share[.]sender[.]net/campaigns/2yJP/fileshxxps://share[.]sender[.]net/campaigns/2yll/filexhxxps://share[.]sender[.]net/campaigns/2yn5/docshxxps://share[.]sender[.]net/campaigns/2ynC/fileshxxps://share[.]sender[.]net/campaigns/3aeY/docsxhxxps://share[.]sender[.]net/campaigns/3ahf/filesxhxxps://share[.]sender[.]net/campaigns/3b3z/proposhxxps://share[.]sender[.]net/campaigns/3eX7/shaffnerheaneyhxxps://share[.]sender[.]net/campaigns/3f5N/keelsavocatshxxps://share[.]sender[.]net/campaigns/3fDw/audixiahxxps://share[.]sender[.]net/campaigns/3fl2/proposedme
Analysis Summary
# Tool/Technique: Microsoft Account Credential Harvesting Campaign (Adobe Themed Phishing)
## Overview
This entry summarizes a global credential harvesting campaign primarily targeting Microsoft accounts (Outlook and Office 365). The campaign relies on sophisticated phishing emails masquerading as 'shared document' notifications. These emails contain embedded URLs that redirect users to convincing fake Adobe Document Cloud login pages designed to steal credentials before forwarding the user to the legitimate Microsoft login portal.
## Technical Details
- Type: Phishing Campaign / Credential Harvesting Toolset
- Platform: Web (Targets Microsoft account credentials)
- Capabilities: Email delivery, redirection using CDNs, spoofed Adobe Document Cloud landing pages for credential collection, data exfiltration via Google Firebase.
- First Seen: Traced back to at least August 2021.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied through document lure)
- T1566.002 - Spearphishing Link
- T1059 - Command and Scripting Interpreter (Used for landing page interaction/exfiltration setup)
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files (Implied by harvesting process)
## Functionality
### Core Capabilities
- **Delivery:** Distributing phishing emails with lures involving "shared document," "encrypted," "scanned," or "faxed" documents.
- **Initial Redirection Evasion:** Utilizing Cloudflare workers\[.\]dev domains to host initial redirect links to evade anti-phishing systems.
- **Credential Theft:** Hosting convincing landing pages themed as Adobe Document Cloud, configured to capture user inputs (credentials).
- **Post-Theft Redirection:** Transparently redirecting victims to the legitimate `login.microsoftonline.com` URL to minimize suspicion.
### Advanced Features
- **Infrastructure Reuse:** Deliberately reusing the same infrastructure (domains/subdomains like `share[.]sender[.]net`, `worker[.]dev`, and `erpnext[.]com` hostnames) across different malicious links, providing a common tracking artifact.
- **Targeted Infrastructure:** Infrastructure was tailored to specific targets, suggesting pre-campaign research was conducted.
- **Data Exfiltration:** Consistent use of a specific Google Firebase site (`runn1rnl8xzmqeh0kvov[.]web[.]app`) across all fake landing pages for data exfiltration.
- **Target Selection:** Focus on small to medium upstream suppliers to Critical National Infrastructure (CNI), potentially as staging grounds for larger attacks.
## Indicators of Compromise
- File Hashes: Not explicitly provided for malware, as this is primarily an infrastructure/phishing operation.
- File Names: N/A (Lures mimic document links).
- Registry Keys: Not applicable.
- Network Indicators:
- Data Exfiltration Site: `runn1rnl8xzmqeh0kvov[.]web[.]app` (Reported for enforcement)
- Abused Legitimate CDN/Service: `share[.]sender[.]net`
- Initial Redirection Host: `workers[.]dev` domains
- Hosted Landing Pages: Numerous subdomains on `erpnext[.]com` (e.g., `safs[.]sender[.]net`, `sb-international[.]erpnext[.]com`)
- Behavioral Indicators: User interaction with links leading to a credential prompt disguised as Adobe Document Cloud login, followed by redirection to Microsoft login.
## Associated Threat Actors
- Believed to be a cybercriminal group focused on Business Email Compromise (BEC) for financial gain, utilizing considerable resources.
## Detection Methods
- Signature-based detection: Scanning emails and network traffic for IOCs, especially the Firebase exfiltration site.
- Behavioral detection: Monitoring for redirects from seemingly legitimate services (like shared drives) to unexpected third-party credential submission pages, especially those mimicking SaaS providers like Adobe.
- YARA rules: Not explicitly mentioned, but rules targeting the unique Firebase exfiltration URL structure (if present in scripts or page source) could be effective.
## Mitigation Strategies
- **User Training:** Implement robust training emphasizing awareness of credential harvesting attempts, especially those leveraging trusted brand names (Adobe, Microsoft) via document sharing notifications.
- **Email Filtering:** Configure advanced email filters to scrutinize links redirecting through unfamiliar or newly registered CDNs/workers domains.
- **MFA Enforcement:** Mandate Multi-Factor Authentication (MFA) for all Microsoft accounts (Outlook/Office 365) to negate the impact of harvested credentials.
- **Network Monitoring:** Block or flag traffic destined for the identified Firebase exfiltration endpoint.
## Related Tools/Techniques
- Use of Cloudflare Workers for initial link distribution relates to common evasive tactics seen in modern phishing kits.
- The technique of credential harvesting followed by redirection to the legitimate site is a hallmark of contemporary phishing frameworks designed for high conversion rates.