Microsoft Phishing Kit 544eva7

Detects a Microsoft phishing kit targeting Spanish speaking users.

References

Recent Detections

hxxp://hotttt[.]your0ne[.]repl[.]co/

urlscan.io
hxxps://hotttt[.]your0ne[.]repl[.]co/

urlscan.io
hxxp://ptei88[.]royalwebhosting[.]net/

urlscan.io
hxxp://servicios403[.]hostfree[.]pw/

urlscan.io
hxxp://hostfast[.]hostfree[.]pw/?i=1

urlscan.io
hxxps://vo[.]la/C5rDPZ

urlscan.io
hxxps://dev-siste-redirec-secority[.]pantheonsite[.]io/Redomega/...

urlscan.io
hxxps://zigzagdownrightclicks[.]htmlmicrosft[.]repl[.]co/

urlscan.io
hxxps://s4bskcnr4ocn[.]m7yke[.]repl[.]co/

urlscan.io
hxxps://boringpertinenttechnician[.]beckhammora[.]repl[.]co/

urlscan.io

IOK Rule (edit)

title: Microsoft Phishing Kit 544eva7
description: |
    Detects a Microsoft phishing kit targeting Spanish speaking users.
    
references:
    - https://urlscan.io/result/31fcc1b0-fb7e-4947-94d3-1a4de1700954
    - https://urlscan.io/result/a4edc336-5315-471b-b1d6-4c2486a293fd
    - https://urlscan.io/result/9fad07e2-cb91-4cef-b047-bb5f794eb8c2
    - https://urlscan.io/result/c5c7ff3c-fa7c-47d9-a976-e00ea96b2a1c
    - https://urlscan.io/result/62ccd072-f825-49a8-bb6e-74d74dd7f6c0
    
detection:

    dropDownDividerID:
      html|contains: 'id="dropDownSelect1"'

    validationFunction:
      html|contains: 'soloNumeros'

    fakeSessionID:
      html|contains: '#544eva77'

    condition: dropDownDividerID and validationFunction and fakeSessionID
    
tags:
  - target.microsoft