Microsoft Phishing Kit EwNaWJpB

Detects a Microsoft phishing kit in Spanish, targeting the citizens of Argentina.

References

Recent Detections

  • hxxp://404htm1l[.]verif1[.]repl[.]co/
  • hxxps://entranceloginmicrosoftrt[.]outlkmaelier[.]repl[.]co/
  • hxxp://entranceloginmicrosoftrt[.]outlkmaelier[.]repl[.]co/
  • hxxp://cominucacionsegurityo1[.]sistemtecnico[.]repl[.]co/
  • hxxp://sisoutlook365interno[.]sistemtecnico[.]repl[.]co/
  • hxxp://loginlivec0m[.]segurity009[.]repl[.]co/
  • hxxp://liveslatebluehardware[.]seguridadsend[.]repl[.]co/
  • hxxp://reactivaciones892911[.]segusu82911[.]repl[.]co
  • hxxp://hostienoutloii[.]hostfree[.]pw/?i=1
  • hxxps://seguridadcomco[.]mariela06[.]repl[.]co/

IOK Rule (edit)

title: Microsoft Phishing Kit EwNaWJpB
description: |
    Detects a Microsoft phishing kit in Spanish, targeting the citizens of Argentina.
    
references:
    - https://urlscan.io/result/8024516d-703a-4a4c-93c2-611549bde820
    - https://urlscan.io/result/16043b90-f719-4fcf-a9db-f12db5d943c7

detection:

    form:
      html|contains|all:
        - type="email" name="emil"
        - id="clave" type="password" name="pss"

    favicon:
      html|contains: 'SCAM/favicon.png'

    cssFile:
      html|contains: 'estilo.css'

    condition: form and favicon and cssFile

tags:
  - target.microsoft
  - target_country.argentina