Microsoft Phishing Kit 544eva7

Recent Detections

  • hxxps://zigzagdownrightclicks[.]htmlmicrosft[.]repl[.]co/
  • hxxps://s4bskcnr4ocn[.]m7yke[.]repl[.]co/
  • hxxps://boringpertinenttechnician[.]beckhammora[.]repl[.]co/
  • hxxps://BoringPertinentTechnician[.]beckhammora[.]repl[.]co
  • hxxp://segurityarg400[.]segurityarg400[.]repl[.]co
  • hxxps://serviciosshn[.]repl[.]co
  • hxxp://serviciossHn[.]serviciossHn[.]repl[.]co
  • hxxp://verifyidentify[.]oficce202222[.]repl[.]co
  • hxxp://pleasingsolidgigabyte[.]segurityarg1522[.]repl[.]co/
  • hxxps://pleasingsolidgigabyte[.]segurityarg1522[.]repl[.]co/

IOK Rule (edit)

title: Microsoft Phishing Kit 544eva7
description: |
    Detects a Microsoft phishing kit targeting Spanish speaking users.
    
references:
    - https://urlscan.io/result/31fcc1b0-fb7e-4947-94d3-1a4de1700954
    - https://urlscan.io/result/a4edc336-5315-471b-b1d6-4c2486a293fd
    - https://urlscan.io/result/9fad07e2-cb91-4cef-b047-bb5f794eb8c2
    - https://urlscan.io/result/c5c7ff3c-fa7c-47d9-a976-e00ea96b2a1c
    - https://urlscan.io/result/62ccd072-f825-49a8-bb6e-74d74dd7f6c0
    
detection:

    dropDownDividerID:
      html|contains: 'id="dropDownSelect1"'

    validationFunction:
      html|contains: 'soloNumeros'

    fakeSessionID:
      html|contains: '#544eva77'

    condition: dropDownDividerID and validationFunction and fakeSessionID
    
tags:
  - target.microsoft