Detects a Microsoft phishing kit with a hardcoded MFA phone number and misspelled words. The phishing kit calls sc.php to perform license validation prior to loading page content.
title: Microsoft Phishing Kit fyfcvk8e
description: |
Detects a Microsoft phishing kit with a hardcoded MFA phone number and misspelled words.
The phishing kit calls sc.php to perform license validation prior to loading page content.
references:
- https://urlscan.io/result/0f35c05b-73e0-4397-9e7e-9e3edb508d16
- https://urlscan.io/result/e73ca666-5a09-4c0e-949b-33a8f6ee7564
- https://urlscan.io/result/0ebaab43-0235-42cc-9304-153f698868d4
- https://urlscan.io/search/#filename%3A%22sc.php%22%20AND%20filename%3A%22jquery-3.1.1.min.js%22%20AND%20filename%3A%22crypto-js.min.js%22
detection:
phone:
dom|contains:
- +X XXXXXXXX71
browser:
dom|contains:
- THIS WORKS AS A SIGNA TURE CHANGE FOR DETECED BROWSER
licenseServer:
requests|contains|all:
- "sc.php"
- "jquery-3.1.1.min.js"
- "crypto-js.min.js"
condition: all of them
tags:
- kit
- target.microsoft