Cybercriminals used Microsoft’s Azure Front Door (AFD) to host phishing content to victimise people. Based on reports, one of the malicious campaigns that imitated different services was created on the azurefd[.]net domain, allowing the threat actors to steal victims’ data.
Using popular cloud services to carry out phishing attacks without being detected is an effective way for threat actors to upgrade their malicious techniques. If a threat actor used Azure Front Door to host their malicious sites, the said website might not be detected as dangerous since they are typically whitelisted from a user’s end.
From an observed phishing scenario, researchers saw a fake billing letter from a threat actor impersonating a communication and marketing firm. The experts’ analysis of the phishing email showed that the operators generate the message contents via automation tools to scale their campaigns toward a wider number of international customers.
Multiple malicious domains used in the new phishing campaign were listed by researchers, with most using the Azure Front Door cloud CDN to obfuscate the phishing sites.
According to the in-depth analysis of these campaigns, experts found that some had been active since March this year and targeted Japan since the sites are hosted via the Kagoya virtual private servers.
The phishing actors had also leveraged hacked domain resources with the same spelling as existing large-scale companies, which helps them easily impersonate the firms to attack victims. Some of the identified campaigns target businesses in the Middle East, which security experts had immediately responded to mitigate the problems.
Azure Front Door was also used in phishing campaigns in November 2021 to host malicious websites and target educational institutions and government employees in the UK.
A wide variety of threat groups, such as APT gangs, could leverage Azure Front Door to evade detection as they carry out attacks like phishing and business email compromise (BEC). Users must avoid clicking on suspicious links sent by unknown sources to be safe from being victimised by such campaigns.
