Outlook Phishing Kit hCO41m

Detects a phishing kit pretending to be Outlook and attempting to capture the user's credentials. Found as a result of this kit being deployed on Replit.

References

IOK Rule (edit)

title: Outlook Phishing Kit hCO41m
description: |
    Detects a phishing kit pretending to be Outlook and attempting to capture the user's credentials.
    Found as a result of this kit being deployed on Replit.


references:
    - https://urlscan.io/result/ef32cd01-2a2c-4513-bdc2-d44e7d3f870c/
    - https://urlscan.io/result/686725c9-178d-494d-afbb-25900318cb70/

detection:

    title:
      html|contains:
        - <title>Document</title>

    logo:
      html|contains:
        - <img src="logo.png" class="img-fluid">

    privateComputerCheckmark:
      html|contains:
        - <img src="k.png" class="img-fluid">

    logoGenerator:
      html|contains:
        - logo.clearbit.com


    condition: title and logo and privateComputerCheckmark and logoGenerator

tags:
  - kit
  - target.outlook