Microsoft Phishing Kit EwNaWJpB

Detects a Microsoft phishing kit in Spanish, targeting the citizens of Argentina.

References

Recent Detections

hxxp://reaxti9034com[.]hostfree[.]pw/

urlscan.io
hxxp://confimaoutlook[.]atsnx[.]com/?i=2

urlscan.io
hxxp://confimaoutlook[.]atsnx[.]com/

urlscan.io
hxxp://sincronizxacione[.]byethost31[.]com/?i=2

urlscan.io
hxxp://sincronizxacione[.]byethost31[.]com/

urlscan.io
hxxp://5467wa[.]ihostfull[.]com/?i=1

urlscan.io
hxxp://protocolactivac[.]hostfree[.]pw/?i=2

urlscan.io
hxxps://seguridadmsn[.]repl[.]co/

urlscan.io
hxxp://123j123123[.]hostfree[.]pw/?i=2

urlscan.io
hxxp://123j123123[.]hostfree[.]pw/

urlscan.io

IOK Rule (edit)

title: Microsoft Phishing Kit EwNaWJpB
description: |
    Detects a Microsoft phishing kit in Spanish, targeting the citizens of Argentina.
    
references:
    - https://urlscan.io/result/8024516d-703a-4a4c-93c2-611549bde820
    - https://urlscan.io/result/16043b90-f719-4fcf-a9db-f12db5d943c7

detection:

    form:
      html|contains|all:
        - type="email" name="emil"
        - id="clave" type="password" name="pss"

    favicon:
      html|contains: 'SCAM/favicon.png'

    cssFile:
      html|contains: 'estilo.css'

    condition: form and favicon and cssFile

tags:
  - target.microsoft
  - target_country.argentina