Phishing uses Azure Static Web Pages to impersonate Microsoft

Microsoft

Phishing attacks are abusing Microsoft Azure’s Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials.

Azure Static Web Apps is a Microsoft service that helps build and deploy full-stack web apps to Azure from GitHub or Azure DevOps code repositories.

It allows developers to use custom domains for branding web apps, and it provides web hosting for static content such as HTML, CSS, JavaScript, and images.

As security researcher MalwareHunterTeam discovered, threat actors have also noticed that the custom branding and the web hosting features can easily be used to host static landing phishing pages.

Attackers are now actively using Microsoft’s service against its customers, actively targeting users with Microsoft, Office 365, Outlook, and OneDrive accounts.

As shown below, some of the landing pages and login forms used in these phishing campaigns look almost exactly like official Microsoft pages.

Azure Static Web Apps phishing pages
Azure Static Web Apps phishing pages (BleepingComputer)

Azure Static Web Apps adds legitimacy

Using the Azure Static Web Apps platform to target Microsoft users is an excellent tactic. Each landing page automatically gets its own secure page padlock in the address bar due to the *.1.azurestaticapps.net wildcard TLS certificate.

This will likely trick even the most suspicious targets after seeing the certificate issued by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, thus validating the phishing page as an official Microsoft login form in the eyes of potential victims.

This also makes such landing pages a helpful tool when targeting the users of other platforms, including Rackspace, AOL, Yahoo, and other email providers, due to the fake veil of security added by the legitimate Microsoft TLS certs.

1.azurestaticapps.net wildcard Microsoft TLS certificate
1.azurestaticapps.net wildcard Microsoft TLS certificate

When trying to detect when a phishing attack is targeting you, the standard advice is to closely check the URL when asked to fill in your account credentials in a login form.

Unfortunately, the phishing campaigns abusing Azure Static Web Apps make this advice almost worthless since many users will get tricked by the azurestaticapps.net subdomain and the valid TLS certificate.

This is not the first time a Microsoft service has been exploited in phishing attacks to target the company’s own customers.

Phishing campaigns also use the *.blob.core.windows.net wildcard certificate provided by Microsoft’s Azure Blob Storage to target Office 365 and Outlook users.

BleepingComputer reached out to Microsoft for comment and we’ll update the story if we hear back.

Next Post

MacPaw updates CleanMyMac X: the application will allow you to detect Russian software on your computer

Mon Apr 4 , 2022
Updating in CleanMyMac X As in the case of SpyBuster, the new Suspicious section will allow you to analyze the list of installed applications on your Apple computer. But if in the first case you need to download a separate application for this, now this function is […]