Phishing uses Azure Static Web Pages to impersonate Microsoft

Phishing assaults are abusing Microsoft Azure’s Static World-wide-web Apps provider to steal Microsoft, Office 365, Outlook, and OneDrive credentials.

Azure Static Web Applications is a Microsoft service that assists construct and deploy comprehensive-stack world wide web apps to Azure from GitHub or Azure DevOps code repositories.

It allows developers to use customized domains for branding website apps, and it offers net web hosting for static content material this kind of as HTML, CSS, JavaScript, and pictures.

As stability researcher MalwareHunterTeam found, threat actors have also noticed that the customized branding and the world wide web web hosting attributes can quickly be utilised to host static landing phishing webpages.

Attackers are now actively working with Microsoft’s support from its clients, actively targeting users with Microsoft, Place of work 365, Outlook, and OneDrive accounts.

As revealed below, some of the landing internet pages and login forms used in these phishing strategies seem almost specifically like official Microsoft pages.

Azure Static Web Apps phishing pages
Azure Static World-wide-web Applications phishing pages (BleepingComputer)

Azure Static Web Applications adds legitimacy

Utilizing the Azure Static Web Apps platform to goal Microsoft buyers is an excellent tactic. Each landing site automatically receives its personal protected web page padlock in the handle bar thanks to the *.1.azurestaticapps.net wildcard TLS certificate.

This will likely trick even the most suspicious targets just after viewing the certification issued by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, thus validating the phishing site as an formal Microsoft login form in the eyes of potential victims.

This also tends to make such landing web pages a valuable instrument when concentrating on the consumers of other platforms, which include Rackspace, AOL, Yahoo, and other e-mail companies, owing to the faux veil of safety added by the genuine Microsoft TLS certs.

1.azurestaticapps.net wildcard Microsoft TLS certificate
1.azurestaticapps.net wildcard Microsoft TLS certificate

When striving to detect when a phishing assault is targeting you, the normal advice is to carefully test the URL when questioned to fill in your account qualifications in a login variety.

Sad to say, the phishing campaigns abusing Azure Static Website Apps make this assistance pretty much worthless since numerous users will get tricked by the azurestaticapps.net subdomain and the valid TLS certification.

This is not the initial time a Microsoft service has been exploited in phishing attacks to focus on the company’s possess prospects.

Phishing campaigns also use the *.blob.core.home windows.net wildcard certification furnished by Microsoft’s Azure Blob Storage to concentrate on Office 365 and Outlook consumers.

BleepingComputer reached out to Microsoft for remark and we are going to update the tale if we hear again.