Azure Front Door Exploited by Cybercriminals for Phishing Attacks

By Veritis

Azure Front Door Exploited by Cybercriminals for Phishing Attacks

Ressecurity, Inc. (USA) has found a spike in phishing information distributed through Microsoft’s Azure Front Door (AFD), a cloud service. Azure Front Door is a cutting-edge cloud content delivery network (CDN) service that offers scalability, high performance, and a secure user experience for content and applications.

The discovered resources are one of the multiple malicious campaigns that impersonated numerous services that seemed to have been legitimately built on the “azurefd.net” domain. This allows threat actors to deceive users and disseminate phishing content to steal login information from business applications and email accounts.

Notably, most phishing tools were developed with Docusign, SendGrid, and Amazon clients. Moreover, several other significant Japanese and Middle Eastern internet service providers and businesses.

Experts claim that these strategies demonstrate how cybercriminals constantly try to improve their methods and strategies to avoid being detected while using well-known cloud services for phishing.

Based on the examined phishing templates, it is likely that the hackers create their phishing letters automatically. By doing this, they may scale their campaigns to target numerous clients worldwide.


Useful link: AWS Vs Azure Cloud – A Glance at Comparison


The Execution

Cybersecurity

Resecurity’s cybersecurity researchers have found numerous domains that have been used in the recent phishing attacks that started at the beginning of June. Some of these domains are difficult for defenders to distinguish from legitimate correspondence. Because of their names and references to Azure Front Door. Which adds more complexity for defenders.

“gridapisignout[.]azurefd[.]net

amazon-uk[.]azurefd[.]net

webmailsign[.]azurefd[.]net

onlinesigninlogin[.]azurefd[.]net

owasapisloh[.]azurefd[.]net

docuslgn-micros0ft983-0873878383[.]azurefd.net”

Some instances of this campaign started in March 2022. That was primarily directed toward Japan and infrastructures hosted on Kagoya VPS resources. The scenarios serving as scripts for intercepted credentials gatherings were also hosted on numerous compromised WEB resources.

Using domains with names of actual organizations spelled similarly, hackers impersonated multiple companies in the Middle East and other nations. It may indicate that the effort was targeted for purposes other than financial gain.

In one of the phishing incidents, the threat actors posed as the big UAE-based firm Al-Futtaim Group. It was formed in 1930 and had over 44,000 workers, one of the phishing incidents.

The host was developed in March 2022 and was used to gather intercepted credentials by using a spelling that differed by just one letter from the official and authentic name of the Al-Futtaim Group domain name called “alfuttairn[.]com” vs “alfuttaim[.]com,”.

The Aftermath

Hacking

Resecurity has informed the Microsoft Security Response Center (MSRC) of the identified malicious domain names and related intelligence to reduce potential risk and damage from this activity. The successful and prompt termination of all identified malicious resources has been accomplished.

It is alarming that this is not the first time AFD exploits conducted hacks. In November 2021, similar campaigns were discovered by the MalwareHunterTeam (MHT) when AFD was being exploited to host phishing information aimed at academics and UK government officials.

According to analysts, sophisticated threat actors, APT groups, and cyber criminals could use these techniques to avoid being identified when running phishing, business email compromise (BEC), and Email Account Compromise (EAC) campaigns.


Useful link: Which Cloud has Better Private Connectivity: AWS or Azure or GCP?


Final Thoughts

Veritis, the Stevie Awards winner, offers cutting-edge cloud computing consulting services, including data protection, security and risk management, performance optimization, and continuous monitoring.

These security measures deliver comprehensive protection against potential attacks. So, reach out to Veritis to protect your business from cyber threats with a cost-effective solution.

Explore Cloud Security Services


Additional Resources: