Microsoft Outlook Phishing Kit 9e75296

Detects a Microsoft Outlook phishing kit targeting Spanish speaking users.

References

Recent Detections

  • hxxps://giftedtreasuredeng[.]3r45f[.]repl[.]co/
  • hxxps://mail-verify[.]segurityemail[.]repl[.]co/
  • hxxps://mailaccountclient-com[.]verifyaccount01[.]repl[.]co/
  • hxxps://mailaccountclient[.]verifyaccount01[.]repl[.]co/
  • hxxps://uendjalpo[.]hdnal1[.]repl[.]co/
  • hxxps://cuenta2323[.]confirmarsa[.]repl[.]co/
  • hxxps://metallictruthfuladdresses[.]tabojo1461[.]repl[.]co/
  • hxxp://buzonoutlook[.]eshost[.]com[.]ar/?i=2
  • hxxp://buzonoutlook[.]eshost[.]com[.]ar/
  • hxxps://athleticsnarlingrhombus32[.]sergio2525[.]repl[.]co/

IOK Rule (edit)

title: Microsoft Outlook Phishing Kit 9e75296
description: |
    Detects a Microsoft Outlook phishing kit targeting Spanish speaking users.
    
references:
    - https://urlscan.io/result/9e752962-a73a-41b6-813d-ca9026cb5391
    - https://urlscan.io/result/5c31c1c9-d13d-4ce6-a01b-b6c22e64e932
    
detection:

    jsFunction:
      html|contains: 'soloNumeros'
      
    logoFileName:
      html|contains: 'fond.png'
      
    exfilDestination:
      html|contains: 'action="savefile.php"'
      
    condition: jsFunction and logoFileName and exfilDestination

tags:
  - target.microsoft_outlook