Microsoft Outlook Phishing Kit 9e75296

Detects a Microsoft Outlook phishing kit targeting Spanish speaking users.

References

Recent Detections

  • hxxps://infoascv2[.]dennysmexico[.]repl[.]co/
  • hxxps://lebnellincv2[.]dennysmexico[.]repl[.]co/
  • hxxps://lxzebnellincv2[.]dennysmexico[.]repl[.]co/
  • hxxp://dev-correoelectronico[.]pantheonsite[.]io/
  • hxxps://rowdymediumorchidagents[.]grupoinforma[.]repl[.]co/
  • hxxp://rowdymediumorchidagents[.]grupoinforma[.]repl[.]co/
  • hxxp://technosecretservices[.]bancolomba[.]repl[.]co/
  • hxxp://ayudaservilogin060[.]003030303[.]repl[.]co/
  • hxxps://i8[.]ae/pqfBT/
  • hxxp://Verificahotmapool[.]perez789[.]repl[.]co

IOK Rule (edit)

title: Microsoft Outlook Phishing Kit 9e75296
description: |
    Detects a Microsoft Outlook phishing kit targeting Spanish speaking users.
    
references:
    - https://urlscan.io/result/9e752962-a73a-41b6-813d-ca9026cb5391
    - https://urlscan.io/result/5c31c1c9-d13d-4ce6-a01b-b6c22e64e932
    
detection:

    jsFunction:
      html|contains: 'soloNumeros'
      
    logoFileName:
      html|contains: 'fond.png'
      
    exfilDestination:
      html|contains: 'action="savefile.php"'
      
    condition: jsFunction and logoFileName and exfilDestination

tags:
  - target.microsoft_outlook