IOK Rules: target.microsoft

Microsoft Phishing Kit be5a6fa

Detects a Microsoft phishing kit targeting Spanish speaking users.

Microsoft Phishing Kit zuu2wvfc

Detects a Microsoft phishing kit with a lot of entropy, making it easy to detect. Discovered as a result of this being deployed on Replit.com.

Microsoft Phishing Kit b3fcc7b

Detects a Microsoft phishing kit targeting Spanish speaking users.

Microsoft Tech Support Kit 0589be7

A Microsoft Tech support kit containing an audio file used across many different domains. As well as a JS function that is used to get the phone number from the URL parameters.

Microsoft Outlook Phishing Kit 142e470f

Detects a phishing kit targeting Microsoft Outlook. Users are being tricked into entering their Microsoft credentials into a fake form. This kit targets Spanish speaking users. Found as a result of this kit being deployed on Replit.

Microsoft Phishing Kit 544eva7

Detects a Microsoft phishing kit targeting Spanish speaking users.

Microsoft Tech Support Kit d94c3cf

Detects a Microsoft tech support kit targeting Japanese speaking users. Using the same name for the warning audio file as well as the same class `name` attribute for the banner elements.

Microsoft Phishing Kit EwNaWJpB

Detects a Microsoft phishing kit in Spanish, targeting the citizens of Argentina.

Microsoft Phishing Kit fyfcvk8e

Detects a Microsoft phishing kit with a hardcoded MFA phone number and misspelled words. The phishing kit calls sc.php to perform license validation prior to loading page content.

Microsoft Phishing Kit rxkr4n3b

Detects a poorly designed and simple Microsoft phishing kit. Discovered as a result of this being deployed on Replit.com.

Microsoft Phishing Kit Landing Page 4NCTpU

Detects the landing page of a Spanish-speaking phishing kit targeting Microsoft with two stages. The first stage is a landing page with a "Start the corresponding verification process" message, on the second stage the user is asked to enter their credentials. The stages switch using a redirect through an anchor. The detection of this tiny HTML page is based on the fact that the attacker thought it's a good idea to use special characters for their asset URLs. Found as a result of this kit being deployed on Replit.