Google App en gine and Azure App service hits with phishing

A phishing campaign abused both the Google App Engine and the Azure App Service to steal victims’ Microsoft Outlook credentials.

A Google Cloud Platform (GCP) service used for developing and hosting web applications, Google App Engine enables customers to direct SSL-protected traffic through their appspot.com domain.

This characteristic thereby lent the domain used in this campaign a sense of legitimacy.

The phishing page informed the visitor that their account credentials were incorrect after they had submitted their username and password. It then sent those details to ‘handler.php,’ a page hosted via Azure’s App Service at “july-28[.].azurewebsites[.]net.”

This domain was one of 110 bait URLs and 72 credential hosting URLs that traced back to this phishing campaign. As noted by Netskope, however, the vast majority of those sites used Azure’s App Service

The threat actor has mostly used Azure App Service to host the credential harvester at azurewebistes.net. It appears the attacker tried out multiple different options to serve the credential harvester and chose to use Azure App Service on an ongoing basis, likely because of its ease of use and Microsoft-issued SSL certs.

The campaign described above highlights the need for organizations to defend themselves against a phishing attack. One of the ways they can do this is by training their employees to spot some of the most common types of phishing campaigns that are in circulation today. They can use this resource to lay the basis for their education efforts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s