Tag Archives: cybercriminal

Cybercriminals Use Azure Front Door in Phishing Attacks

Experts identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft.

Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft.

The identified resources in one of the malicious campaigns impersonate various services appearing to be legitimately created on the “azurefd.net” domain – This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts. Notably, most phishing resources were designed to target SendGrid, Docusign and Amazon customers, along with several other major Japanese and Middle East online service providers and corporations. According to experts, such tactics confirm how the bad actors are continuously looking to enhance their tactics and procedures to avoid phishing detection using world-known cloud services.  

Pic. 1 – Example of Phishing Page Delivered by Azure Front Door (AFD)

The threat actors are leveraging compromised business and personal e-mail accounts to deliver spam containing phishing links to fake WEB-resources hosted on Azure Front Door, as such domains are typically whitelisted or treated as legitimate by the end user. One of the typical phishing page scenarios observed in a recent campaign – a fake billing notification sent on behalf of SendGrid, a Colorado-based customer communication platform for transactional and marketing email.

Pic. 2 – Cybercriminals leverage compromised e-mail accounts of
Japanese companies and online-services to deliver phishing

The original phishing e-mails have been retained and observed by Security Affairs. Based on the analyzed templates, the attackers are likely using an automated way to generate their phishing letters, by doing so they’re able to scale their campaigns to ultimately target a broader number of customers globally, which has previously been observed in spam strains delivered with Emotet and Oakbot.

It’s worth noting, the observed de-obfuscated source codes of the phishing scenarios contained the signatures “STRAT Check” and references to WHOIS-protected domains registered in “.click” and “.xyz” domain zones to collect compromised credentials.

Cybersecurity researchers from Resecurity identified multiple domains used in the new wave of phishing attacks dating back to the beginning of June – some of which are obviously hard to differentiate from legitimate correspondence due to their naming and reference to Azure Front Door, which only adds more complexity for defenders:

  • gridapisignout[.]azurefd[.]net
  • amazon-uk[.]azurefd[.]net
  • webmailsign[.]azurefd[.]net
  • onlinesigninlogin[.]azurefd[.]net
  • owasapisloh[.]azurefd[.]net
  • docuslgn-micros0ft983-0873878383[.]azurefd.net

Based on the analysis performed on services such as URLSCAN, some instances of this campaign began around the month of March 2022 and were focused primarily on Japan and hosted on Kagoya VPS resources. 

The scenarios acting as C2 scripts for intercepted credentials collection were also hosted on various hacked WEB-resources, leveraging domains having similar spelling to the names of existing corporations. Such domains were used to impersonate several large enterprises in the Middle East and other countries what may confirm the campaign could have been targeted and had certain motives besides financial.

Pic 3. – Example of a phishing template designed
to compromise e-mail accounts using Adobe branding

In one of the phishing episodes, the threat actors impersonated the large business conglomerate Al-Futtaim Group from UAE which was founded in 1930 with over 44,000 employees. The host was created in March 2022 and was used to collect intercepted credentials leveraging spelling with just 1 letter different from the legitimate and official name of Al-Futtaim Group domain name (“alfuttairn[.]com” VS “alfuttaim[.]com”).

Pic 4. – Example of HTTP Post Request to Transmit Compromised Credentials in the Result of Successful Phishing Attack

Pic.5 – Phishing template with fake authorization targeting Office 365 customers

Pic.6 – Phishing template targeting Amazon customers

Pic.7 – Scenario to intercept credit card data with CVV Number (“Card Verification Value”)

The identified malicious domain names and additional intelligence have been reported by Resecurity to Microsoft Security Response Center (MSRC) to minimize possible risk and damages from this activity. All of the identified malicious resources have been successfully and timely terminated.  

Similar campaigns have been identified by the MalwareHunterTeam (MHT) in November 2021, when Azure Front Door Service (AFD) was used to host phishing content targeting academia and the UK Government employees.

According to experts such tactics could be leveraged by both sophisticated threat actors and APT groups, as well as cybercriminals to avoid being detected conducting phishing, business e-mail compromise (BEC), and Email Account Compromise (EAC) campaigns.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received reports of BEC scams in all 50 states and 177 countries. In a March 2022 report, the IC3 said it received close to 20,000 BEC complaints last year, with estimated adjusted losses of roughly $2.4 billion.

The total BEC/EAC statistics reported to the FBI IC3, law enforcement and derived from filings with financial institutions between June 2016 and December 2021 exceeds 43$ billion.

This and other interesting stories are available on the ReSecurity website


Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 


Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Azure Front Door)

[adrotate banner=”5″]

[adrotate banner=”13″]

Corporate email addresses are 6.2x more targeted by phishing

At the RSA security conference in San Francisco, the experts at Google Research explained that Corporate email addresses are privileged targets for hackers.

At the RSA security conference in San Francisco, the experts at the Google Research team at the Google Research team have shared the results of an interesting study on cyber attacks against emails accounts.

Corporate email addresses are 4.3 more likely to receive malicious codes compared to personal accounts, 6.2 times more likely to receive phishing lures, and 0.4 times less likely to receive spam messages.

The Google Research team analyzing more than one billion emails that passed through its Gmail service, the experts discovered that corporate inboxes are a privileged target for threat actors. The result is not surprising because corporate email accounts contain more valuable information for attackers. Cyber criminals can steal information and resell them on the Dark Web, meanwhile, nation-state actors could use them for espionage activities.

Which is the most targeted industry?

This result is very interesting, organizations in the real estate sector were the most targeted with malicious codes, while spam emails proposing products and services mostly targeted companies in entertainment and IT industries.

Organizations in the financial sector are the privileged target of phishing campaigns, the experts at Google believe that phishing attacks will continue to increase in the future.

Anyway, there is a good news for Gmail.users, as announced by Elie Bursztein, the head of Google’s anti-abuse research team, the company is going to implement the SMTP Strict Transport Security to the email service.

The SMTP STS will provide a further security measure to protect Gmail users from man-in-the-middle attacks that leverage on rogue certificates. Google, Microsoft,

“Google, Microsoft, Yahoo and Comcast are expected to adopt the standard this year, a draft of which was submitted to the IETF in March 2016.wrote ThreatPost.

Below the slides presented at the RSA Conference by Elie Bursztein.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Corporate email addresses, Cybercriminal)

Critical infrastructures & manipulation of the name Anonymous

What are the main dangers for our infrastructures? Too much threats which any country is exposed. The situation is bleak, suddenly the sectors of defense found themselves vulnerable to cyber threats. Once nations shown their proud arms, flaunt power, intimidating opponents in this way. Today the way of fighting is radically changed, the battleground is cyberspace, the armies are composed by groups of hackers and cyber weapons are sophisticated weapons designed to attack strategic targets … mainly the wars today are silent. This last aspect is not negligible, country like China has started the warfare first of many other nations, the objectives of raids and of cyber operations of industrial espionage are often realized when the main damages had been already caused. In some cases we speak of a competitive advantage than a decade, we think the case study of Nortel and the damage caused by a decade of spying. The political landscape has radically changed, today countries like U.S., Japan and Russia are subject to the offensive of those nations once been relegated to marginal roles on the international stage. In mid July 2010, security experts discovered the virus called Stuxnet that had infiltrated computers inside nuclear plants and other infrastructures in country like Iran. It is considered “the first” cyber weapon of the history.

It is completely changed the way to conduct intelligence operations now moves through a meticulous analysis of the battlefield, Internet, studying the operations in the cyber space of opposing forces, nations and companies to spy.

Many aspects are profoundly changed, alliances that were once unimaginable has become reality today and they are able to frighten technologically advanced nations such as Israel and U.S.. For example let me cite China-Iran axis, or the support provided by China itself to nations like North Korea in offending military targets such as South Korea or Japan.
All this turmoil has the main effect of addressing significant capital in critical areas such as cyber defense to compensate cyber gap. Uncomfortable situation that governments tend to conceal and hide from its citizens, I live in Italy and if I go on the streets to ask ordinary people the cost of spending on warfare they will take me for a fool.
The awareness level on the topic is practically zero. The question remains how much effective are these measures and what is the level of security we are able to provide?  We are in an embryonic stage in which it is too early hazard a hypothesis about the real state in term of security of the critical infrastructures all over the world. Who is threaten our tranquility?

Main threats come from:

  • Hostile foreign states and cyber terrorism
  • Cyber ​​crime
  • Groups of hacktivists

The threat of cyber crime and those made ​​by the actions of protest of groups of hacktivists are sources of considerable concern. So far this year we have witnessed an escalation of the phenomenon of hacktivism, the Anonymous group seems to have upped the ante, between doubts and misgivings about the real genesis of operations, numerous attacks have been registered against government sites and security agencies.

Gen. Keith Alexander, current director of the National Security Agency warned regarding the possibility that groups of hacktivist will have the ability in short term to bring cyber attack to the national power supplies causing a limited power outage in the US..
Power supplies are just one possible target, don’t forget the critical of telecommunications systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems and emergency services.  The profile of cyber assaults against US government and corporate targets is increasing manifesting high skill in the cyber strategy of the attacks.

If forces like those of hacktivist have the technical capacities and critical mass such that they can influencing foreign policy, are we sure that among their goals there are critical infrastructures?

Why the group that draws its strength from the masses should attack them, put them in danger? 

Does Anonymous want this?

In an official message to the Wall Street Journal Anonymous regarding the accusation has written

“Ridiculous! Why should Anonymous shut off power grid? Makes no sense! They just want to make you feel afraid.”

“Why would Anons shut off a power grid?” reads a tweet from the @YourAnonNews feed. “There are ppl on life support / other vital services that rely on it. Try again NSA. #FearMongering”

The researcher of the Mercatus Center at George Mason University, Jerry Brito, told that Anonymous has never made a threat to the electrical grid or to other critical infrastructure.
But then, why these rumors began to circulate in authoritative newspapers? More of the group itself I’m scared of misuse of the name Anonymous, someone using the causes of the hacktivists to create a climate of emergency, declare openly to the world that we are terribly vulnerable.
Maybe someone is convinced that scaring the public is possible to remove the masses from the ideology behind the staged protests. The sad aspect is that someone could use the threat to justify expenses never disclosed before, in a state of emergency is known that many canonical steps for approval of investments are deliberately skipped to the benefit of nearby businesses to governments.

Why we intend to define the components of Anonymous cyber-terrorists and cyber criminals?

Mr. Richard Stiennon, Chief Research Analyst at IT-HARVEST, draws some distinctions in the definitions as well. A cybercriminal is generally motivated purely by profit. That is a different goal than cyber espionage, which seeks to access intellectual property for military or industrial strategic advantage, or cyberwar, which focuses on actually sabotaging infrastructure, disrupting critical systems, or inflicting physical damage on an enemy.

Do you recognize anonymous in one of these definitions?

The reality is dramatic, many countries like America and european members states are vulnerable to cyber attacks. Tens and thousands of critical structures are still vulnerable and in many cases also not counted. The real problem will be actions of cyber-terrorism, the business of terror is aware of the situation of the infrastructures and it is ready to hit. Consider for example how a terrorist act is mutated, once a group of subversive planned in secret the attack todays is it try to involve young guys to masquerade the real source of the attacks. The cyber recruiting is really simple, it is enough to announce an operation of Anonymous in specific channel (e.g. chat, social networks) to attract young people living in myth of the hacker, unaware of the real targets of a mission. The availability of tools for offense on the internet makes it easy circumvention of our children.
It ‘s time to come out, inform the masses, but in proper manner, absurd that person like my father still ignore terms like cyber terrorism and cyber weapons.
Pierluigi Paganini