threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
Submitted URL: https://secure-web.cisco.com/1jYXQgafoCfoVvSCPL5Qlci3vyA8VjcsMyFdxPFByLLxF1eMzKAXhg9IZFwGv5ale0RoegoxBt9Ez0gkuXKcugTHIX-pnbJK...
Effective URL: https://threatpost.com/microsoft-accounts-targeted-russian-credential-harvesting/178698/?utm_campaign=This%20Week%20in%...
Submission: On March 10 via api from US — Scanned from DE
Effective URL: https://threatpost.com/microsoft-accounts-targeted-russian-credential-harvesting/178698/?utm_campaign=This%20Week%20in%...
Submission: On March 10 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /microsoft-accounts-targeted-russian-credential-harvesting/178698/?utm_campaign=This+Week+in+ReversingLabs&utm_medium=email&_hsmi=206456747&_hsenc=p2ANqtz-942AOTfDVyVYrV2CjytSl28gcEgZVJTRh9eC5PxGQjQV0ef0SbjlXQMYhKG9DgbcgWrnv7M5myOoHRhxB7qBGVPyxUMw&utm_content=206456747&utm_source=hs_email#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5"
action="/microsoft-accounts-targeted-russian-credential-harvesting/178698/?utm_campaign=This+Week+in+ReversingLabs&utm_medium=email&_hsmi=206456747&_hsenc=p2ANqtz-942AOTfDVyVYrV2CjytSl28gcEgZVJTRh9eC5PxGQjQV0ef0SbjlXQMYhKG9DgbcgWrnv7M5myOoHRhxB7qBGVPyxUMw&utm_content=206456747&utm_source=hs_email#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Email</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="1646946975169">
<script>
document.getElementById("ak_js").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="178698" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="e211c27ce3"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="yiSSPnZGdQnmYfAOLBOw2TYvG" name="Y9jS6kAxeUVsBHIUa4meNazyL">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="248">
<script>
document.getElementById("ak_js").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Email
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Ukraine-Russia Cyber Warzone Splits Cyber UndergroundPrevious article
* Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before InvasionNext article
MICROSOFT ACCOUNTS TARGETED BY RUSSIAN-THEMED CREDENTIAL HARVESTING
Author: Tara Seals
March 1, 2022 5:57 am
2 minute read
Write a comment
Share this article:
*
*
Malicious emails warning Microsoft users of “unusual sign-on activity” from
Russia are looking to capitalizing on the Ukrainian crisis.
While legitimate concerns abound about the Russian-Ukrainian conflict sparking a
far-reaching cyberwarfare conflagration around the globe, small-time crooks are
also ramping up their efforts amid the crisis. Phishing emails to Microsoft
users warning of Moscow-led account hacking have started to make the rounds,
looking to lift credentials and other personal details.
That’s according to Malwarebytes, which uncovered a spate of spam email that
name-checks Russian hacking efforts. The subject line for the messages is
“Microsoft account unusual sign-in activity,” researchers noted.
The body reads:
Unusual sign-in activity
We detected something unusual about a recent sign-in to the Microsoft account
Sign-in details
* Country/region: Russia/Moscow
* IP address:
* Date: Sat, 26 Feb 2022 02:31:23 +0100
* Platform: Kali Linux
* Browser: Firefox
A user from Russia/Moscow just logged into your account from a new device, If
this wasn’t you, please report the user. If this was you, we’ll trust similar
activity in the future.
Report the user
Thanks,
The Microsoft account team
The emails then provide a button to “report the user,” and an unsubscribe
option, according to Malwarebytes’ Tuesday analysis. Clicking the button creates
a new message with the to-the-point subject line of “Report the user.” The
recipient’s email address references Microsoft account protection.
Using the email to respond could open up various risks, according to
Malwarebytes’ Tuesday analysis.
“People sending a reply will almost certainly receive a request for login
details, and possibly payment information, most likely via a bogus phishing
page,” the researchers explained. “It’s also entirely possible the scammers will
keep everything exclusively to communication via email. Either way, people are
at risk from losing control of their account to the phishers. The best thing to
do is not reply, and delete the email.”
As ever, the spam offers up red flags in the form of grammatical errors,
including misspellings, such as “acount.” In other words, it’s not a
particularly sophisticated effort, but it’s a savvy one. As is the case with any
major world event, cresting interest (or fear) is catnip for social engineers.
“Given current world events, seeing ‘unusual sign-in activity from Russia’ is
going to make most people do a double, and it’s perfect spam bait material for
that very reason,” researchers said. “[The emails] (deliberately or not) could
get people thinking about the current international crisis. Being on your guard
will pay dividends over the coming days and weeks, as more of the below is sure
to follow.”
The mail explicitly targets Microsoft account holders, but the good news is that
Outlook is sending the emails directly to the spam folder, according to
Malwarebytes. However, the firm pointed out that, “depending on personal
circumstance and/or what’s happening in the world at any given moment, one
person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take
for some folks to lose their login, and this mail is perhaps more salient than
most for the time being.”
Moving to the cloud? Discover emerging cloud-security threats along with solid
advice for how to defend your assets with our FREE downloadable eBook, “Cloud
Security: The Forecast for 2022.” We explore organizations’ top risks and
challenges, best practices for defense, and advice for security success in such
a dynamic computing environment, including handy checklists.
Write a comment
Share this article:
* Web Security
SUGGESTED ARTICLES
MALWARE POSING AS RUSSIA DDOS TOOL BITES PRO-UKRAINE HACKERS
Be careful when downloading a tool to cyber-target Russia: It could be an
infostealer wolf dressed in sheep’s clothing that grabs your cryptocurrency info
instead.
March 10, 2022
RUSSIA MAY USE RANSOMWARE PAYOUTS TO AVOID SANCTIONS
FinCEN warns financial institutions to beware of unusual cryptocurrency payments
or illegal transactions Russia may use to evade restrictions imposed due to its
invasion of Ukraine.
March 10, 2022
MULTI-RANSOMWARED VICTIMS HAVE IT COMING–PODCAST
Let’s blame the victim. IT decision makers’ confidence about security doesn’t
jibe with their concession that repeated incidents are their own fault, says
ExtraHop’s Jamie Moles.
March 10, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* THE UNCERTAIN FUTURE OF IT AUTOMATION
March 8, 2022
* 6 CYBER-DEFENSE STEPS TO TAKE NOW TO PROTECT YOUR COMPANY
February 25, 2022
1
* THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART II
February 24, 2022
2
* 3 TIPS FOR FACING THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART I
February 9, 2022
* ‘LONG LIVE LOG4SHELL’: CVE-2021-44228 NOT DEAD YET
February 4, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
RT @enakrjar: This whole NVIDIA/Lapsus$ saga has been fascinating. Sigining
malware with legitimate NVIDIA certificates--though expired, th…
3 hours ago
Follow @threatpost
NEXT 00:02 01:29 360p 720p HD 1080p HD Auto (360p) About Connatix V154208 Closed
Captions About Connatix V154208
1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications