C3 has merged with Ingalls Read Press Release >>

New Threat: Microsoft Azure Custom Domains

Attackers are leveraging Microsoft Azure custom domains to create phishing and malware links that are difficult to spot.

One of the first things we tell people to do when they get a suspicious email or link is to make sure it’s a legitimate domain. But with attackers exploiting Microsoft Azure’s Custom Domain Name feature, it’s harder than ever to be sure.

Microsoft offers users the ability to configure a custom domain name for their Azure storage accounts, and cyber attackers are taking advantage. Attackers have begun to create realistic custom URLs to host their phishing sites—often sent using Microsoft’s web servers—that look like a legitimate Microsoft login page.

Attackers send realistic-looking emails (Update your info! Log in to read this important alert! Click here to get your voicemails! Sign in to update your payment info!) that include a link to log into your Microsoft account. The link uses an actual Microsoft domain, such as “web.core.windows.net”, “blob.core.windows.net,” or “.azurewebsites.net”.

They look so legitimate, we almost fell for it ourselves.

Once you click the link, you’re brought to a page that mimics the Microsoft login portal. It steals the emails and passwords entered in and uploads them to an external compromise site.

AppRiver conducted an investigation, and found 284 emails exposed, along with their geolocation data. And since many users attempted to log in using several different passwords, hackers now have visibility into the passwords they might use for other accounts.

What can you do?

  1. Turn on two-factor authentication for all your accounts!
  2. Take no action. You’re always safe if you don’t click suspicious links or attachments.
  3. If it’s an email you’ve never received before or that seems strange, don’t click or enter your login credentials, even if it seems urgent. Instead, ask your IT team if it’s legitimate.
  4. Instead of using a link from an email to log into your account, open up a browser and log in from a known, trusted website (e.g. portal.office.com).
  5. And lastly, if you think your account information has been compromised, CHANGE YOUR PASSWORDS.

Best of luck!