Attackers are using trusted infrastructure more and more to avoid detection. A new phishing campaign shows how hacked websites can be used to target business users, especially those who use Microsoft Teams. Overview of the Campaign KnowBe4 Threat Labs security researchers have found a large-scale phishing operation that uses real WordPress sites to host pages that steal login information.

Attackers make it much less likely that automated security tools and email filtering systems will find them by putting harmful content in trusted domains. The main goal of the campaign is to get Microsoft Teams users to sign up, but it also includes Xfinity and UAE Pass accounts. This approach of going after multiple targets suggests that the attackers are trying to collect a lot of credentials from a wide range of people, but they are focusing on certain areas, especially the UAE.

Instead of using newly registered malicious domains, the attackers take over existing websites and put phishing pages deep in their backend directories. This method makes bad URLs look like they are real at first glance, which makes it more likely that users will click on them. Phishing Lures (Source: Twitter) Lures for Social Engineering The campaign uses a number of phishing themes that make people feel like they need to act right away: Microsoft Teams voicemail alerts: Victims get emails saying they missed a voicemail and telling them to click "Listen Now."

Notifications for shared documents: Users are told that a document has been shared and needs to be looked at right away. UAE Pass spoofing: Login prompts that are specific to the UAE region and are meant to steal credentials from users in the UAE. These lures are made to look like real business communications, which makes them very convincing even to people who are aware of security issues.

Phishing Lures (Twitter) The phishing attack has a set order of four steps: The Hook: The victim gets a fake email, like a Teams voicemail alert, and clicks on the link in it. The Pivot: The link goes through a tracking domain called skimresources[. ]com, which hides the final destination.

The Payload: The victim goes to a fake login page that looks a lot like the Microsoft Teams, Xfinity, or UAE Pass portals. These pages are hosted in hacked WordPress directories. The goal is to instantly capture entered credentials so that attackers can take over accounts and possibly get into corporate networks.

For instance, if a user clicks the "Listen Now" button in a Teams email, they may be silently sent through several layers before ending up on a nearly perfect copy of a Microsoft login page hosted on a real but hacked website. Ways to Avoid One of the best things about this campaign is that it is secret. Phishing payloads are hidden by attackers in normal WordPress directories like /wp-includes/, /bin/, and /config/.

Attackers avoid raising suspicion during routine scans by mixing harmful files with real website assets. This method also takes advantage of the trust that comes with well-known domains.

Indicators of Compromise (IOCs) Security teams should keep an eye on and block the following known malicious infrastructure: crsons[. ]net/wp-includes/js/tinymce/~ crsons[. ]net/wp-includes/cgi/UAE%20PASS.htm afghantarin[.

]com/afghantarin/admin/waitme/~ medinex[.]in/includes/bin/index[. ]php cabinetzeukeng[.]net/config/[. ]bin/voicemail rnedinex[. ]com The following controls can help organizations lower their risk: Make sure that all important services use multi-factor authentication (MFA).

Check outbound traffic for strange redirects and domains that act as middlemen. Regularly scan your web assets to find any unauthorized file injections. Teach users to double-check URLs carefully, even if the links seem to come from domains they trust. Use advanced email filtering that can look at more than just domain reputation, like how people act.

As attackers keep using real infrastructure for bad things, traditional methods of finding them that only look at domain reputation are becoming less useful.

This campaign stresses how important it is to have multiple layers of protection and to make users more aware of phishing threats that are becoming more advanced. Make Google your preferred source for ZeroOwl