Microsoft Azure Phishing Scam: The New Favorite Of Malicious Actors

Microsoft Azure is one of the leading cloud services used by developers and organizations worldwide. With an easy subscription model, Azure is convenient and popular among its users. However, Azure has also become famous among cyber attackers that use it for phishing scams to exploit protected data.

Azure phishing is a comparatively new technique used to cause losses to victims by exposing their credentials and posing a threat to the confidentiality, integrity, and availability of sensitive information.

Microsoft Azure And Its Services

Microsoft Azure platform offers its users a range of services such as cloud computing, data analytics, and networking that enable developers to build or run applications. With the variety of services that Azure offers, its usage varies. Creating computing resources, building cloud applications for mobile devices, deploying web applications, cloud storage, and big data analytics are some of the common uses of Azure. Computing resources created with the help of Azure allows the developer to host infrastructure components such as third-party applications, Windows Server services, and domain name system servers.

It offers an easy payment method where you can pay only for your services. Such payment options make it easy for big corporations and developers to utilize Azure services and make the most out of them. However, this setup also makes it easy for malicious actors to exploit these services and use them to create fraudulent domain servers aiming at sensitive data.

Azure As Used By Threat Actors

Threat actors have found loopholes with Azure’s valuable services for their benefit. While the first attacks were recorded in September 2018, the attack patterns have evolved. In 2018, cybersecurity organizations found that attackers used the Azure Blob storage to host credential-stealing forms. Threat attackers emailed these forms to the victims disguised as official Microsoft forms that asked for credentials.

When the victim clicked on the form, they would be redirected to a server domain, such as https://onedriveunbound4455.blob.core.windows.net. An apparent Microsoft-issued SSL certificate would also secure this domain. Thus, even if the victims were suspicious and checked the link, it would appear to them as certified by Microsoft. If the victim entered their credentials on the form, their data would be exposed or stolen by the attacker.

Two Types of Attacks

Some differences in attack methods have been observed in the recent Azure phishing attacks. There have been two main patterns: the attacker sending a warning email and an email with an attachment to the potential victim.

Warning message: In this first type, the warning email alerts the victim that they have received “suspicious emails” while providing a link to let them view those emails. Once the victim clicks on the link, it will redirect them to a domain that looks precisely like Microsoft and with a Microsoft SSL certificate but is controlled by the attacker.
The page will ask the victim to enter their credentials for verification to allow them to view the suspicious emails. When the victim provides the requested credentials on the page, the domain server will save their information, and the attacker will get direct access to it.
Attachment: In this attack, the target receives an attachment through email, and the extension is designed to direct the victim to a dummy Microsoft domain controlled by the attacker. The victim is then instructed to enter their credentials to view the attachment. The domain managed by the attacker saves the information entered by the victim. The attacker then uses this information to access the user’s database and information systems.

Microsoft’s Take On The Azure Attack

Updating its database on emerging threats has been a priority for Microsoft. Furthermore, it is working to deactivate the domains controlled by the attackers. As part of its mission, the organization seeks to raise awareness about such attacks and the kinds of damage they can cause. Microsoft also suggests ways to neutralize such attacks and report them on its documentation page. It prevented over 13 million cyber-attacks in 2019 alone, and it continues to work in the direction of its users’ protection.

Cyber-attack Protection

Although Microsoft Azure phishing attacks seem complex and challenging to identify, you can easily recognize the fake domains not owned by Microsoft and protect yourself from further damage with a few methods. However, sometimes you can fall victim to attacks that are cleverly designed. Hence, it would help if you learned how to protect yourself from such attacks using the following precautions.

Check the domain link: Official Microsoft domain links are fundamentally different from those hosted by Azure. Since Azure is a Microsoft service, the phishing link might display azure.net or microsoft.com. However, the official link will be “https://outlook.live.com,” while the Azure-based link will be like “https://onedriveunbound6789.azure.core.windows.net”. If you reach a domain that includes suspicious numbers or letters, it would be better not to enter your credentials.
Enter your credentials on the official website: If you doubt the warning email you have received and want to check whether it is true, you can check through the official website or web application. You can first check your spam folder to verify the warning message’s claim that you have received suspicious emails instead of entering your credentials immediately on a domain that does not seem authentic.
Familiarize yourself with Microsoft practices: Microsoft does not store your information separately on an independent domain that will require you to re-login. If you click on an official Microsoft link, you usually will not have to log in again.

Final Words

Microsoft Azure offers various services for different kinds of purposes. These services are beneficial for individual developers and big corporations alike. However, malicious actors also use them to attack vulnerable victims. There have been an increasing number of Microsoft phishing scams in recent months, and adversaries are finding new methods to steal personal information in a short time. Nevertheless, you can protect your valuable data’s confidentiality, integrity, and availability by following the above precautionary steps.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.