-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create/Update Microsoft Indicators (#228)
* 🚀 New Mircosoft Phishing Kit Detects a Microsoft phishing kit with a hardcoded MFA phone number and misspelled words. * ✨ Update rxkr4n3b to escape img on the phish.report viewer the img string has single quotes but the version in this repo does not * ✨ Update microsoft-fyfcvk8e Look for sc.php performing license checks. * ✨Update microsoft-fyfcvk8e Update modifier to match all requests --------- Co-authored-by: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
- Loading branch information
1 parent
c6e6502
commit 717df77
Showing
2 changed files
with
33 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
title: Microsoft Phishing Kit fyfcvk8e | ||
description: | | ||
Detects a Microsoft phishing kit with a hardcoded MFA phone number and misspelled words. | ||
The phishing kit calls sc.php to perform license validation prior to loading page content. | ||
references: | ||
- https://urlscan.io/result/0f35c05b-73e0-4397-9e7e-9e3edb508d16 | ||
- https://urlscan.io/result/e73ca666-5a09-4c0e-949b-33a8f6ee7564 | ||
- https://urlscan.io/result/0ebaab43-0235-42cc-9304-153f698868d4 | ||
- https://urlscan.io/search/#filename%3A%22sc.php%22%20AND%20filename%3A%22jquery-3.1.1.min.js%22%20AND%20filename%3A%22crypto-js.min.js%22 | ||
|
||
detection: | ||
|
||
phone: | ||
dom|contains: | ||
- +X XXXXXXXX71 | ||
|
||
browser: | ||
dom|contains: | ||
- THIS WORKS AS A SIGNA TURE CHANGE FOR DETECED BROWSER | ||
|
||
licenseServer: | ||
requests|contains|all: | ||
- "sc.php" | ||
- "jquery-3.1.1.min.js" | ||
- "crypto-js.min.js" | ||
|
||
condition: all of them | ||
|
||
tags: | ||
- kit | ||
- target.microsoft |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters