Rewterz Threat Alert – Fake Microsoft Login Page
December 31, 2020Rewterz Threat Alert – Active IOCs – Lokibot
December 31, 2020Rewterz Threat Alert – Fake Microsoft Login Page
December 31, 2020Rewterz Threat Alert – Active IOCs – Lokibot
December 31, 2020Severity
Medium
Analysis Summary
Researchers have seen a rise in phishing emails targeting companies developing COVID-19 vaccines and therapy solutions. All of the attacks seen by the researchers point to Office365 login pages with differing companies being used in the login field. The attempt to steal the account credentials leads to a theory about wanting to steal vaccine-related information for their own development and use. The fake pages are identical to the legitimate company pages.
Impact
- Credential theft
- Exposure of sensitive data
Indicators of Compromise
Domain Name
- optum-2989[.]apponline-0238[.]xyz
- gilead-fax16[.]apponline-8473[.]xyz
- idtdna-fax12[.]apponline-9234[.]xyz
- novartis-fax78[.]apponline-2641[.]xyz
- abbott-9196[.]apponline-5673[.]xyz
- astrazeneca-fax34[.]apponline-1424[.]xyz
- its-fax83[.]apponline-9234[.]xyz
- pfizer-fax80[.]apponline-8473[.]xyz
- merckgroup-2585[.]apponline-8473[.]xyz
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.