Phishing uses Azure Static Web Pages to impersonate Microsoft

Phishing attacks are abusing Microsoft Azure’s Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials.

Azure Static Web Apps is a Microsoft service that helps build and deploy full-stack web apps to Azure from GitHub or Azure DevOps code repositories.

It allows developers to use custom domains for branding web apps, and it provides web hosting for static content such as HTML, CSS, JavaScript, and images.

As security researcher MalwareHunterTeam discovered, threat actors have also noticed that the custom branding and the web hosting features can easily be used to host static landing phishing pages.

Attackers are now actively using Microsoft’s service against its customers, actively targeting users with Microsoft, Office 365, Outlook, and OneDrive accounts.

As shown below, some of the landing pages and login forms used in these phishing campaigns look almost exactly like official Microsoft pages.

Azure Static Web Apps adds legitimacy

Using the Azure Static Web Apps platform to target Microsoft users is an excellent tactic. Each landing page automatically gets its own secure page padlock in the address bar due to the * wildcard TLS certificate.

This will likely trick even the most suspicious targets after seeing the certificate issued by Microsoft Azure TLS Issuing CA 05 to *, thus validating the phishing page as an official Microsoft login form in the eyes of potential victims.

This also makes such landing pages a helpful tool when targeting the users of other platforms, including Rackspace, AOL, Yahoo, and other email providers, due to the fake veil of security added by the legitimate Microsoft TLS certs.

When trying to detect when a phishing attack is targeting you, the standard advice is to closely check the URL when asked to fill in your account credentials in a login form.

Unfortunately, the phishing campaigns abusing Azure Static Web Apps make this advice almost worthless since many users will get tricked by the subdomain and the valid TLS certificate.

This is not the first time a Microsoft service has been exploited in phishing attacks to target the company’s own customers.

Phishing campaigns also use the * wildcard certificate provided by Microsoft’s Azure Blob Storage to target Office 365 and Outlook users.

Reached out to Microsoft for comment and we’ll update the story if we hear back.

NOTE:: This article is copyright by and we are using it for educational or Information purpose only

Best Cyber Security Products & Solutions