Full Report
Phishing kit targeting MS login pages
Analysis Summary
# Tool/Technique: Phishing Kit Targeting MS Login Pages (Potential Rockstar2FA Connection)
## Overview
This refers to an ongoing phishing campaign utilizing specially crafted web pages hosted primarily on Cloudflare infrastructure (`.pages.dev` domains) to mimic Microsoft login pages. The goal is to steal user credentials, often initiated via emails themed around bids, invoices, or document signatures.
## Technical Details
- Type: Attack Tool (Phishing Kit)
- Platform: Web (Targets users accessing Microsoft services via web browser)
- Capabilities: Credential harvesting, redirection chains, potential 2FA bypass (implied by Rockstar2FA identification), use of CAPTCHA challenges for obfuscation.
- First Seen: The article is dated October 27, 2025, referencing ongoing activity.
## MITRE ATT&CK Mapping
This campaign primarily focuses on initial access and credential theft.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing: Attachment (Implied by email subject prompting file download)
- T1566.002 - Spearphishing: Link (Using URLs in emails)
- **TA0006 - Credential Access**
- T1056 - Input Capture
- T1056.001 - Keylogging /credential harvesting via web forms
## Functionality
### Core Capabilities
- **Credential Harvesting:** Serving web pages designed to look identical to Microsoft login interfaces to capture usernames and passwords.
- **Delivery Mechanism:** Distributing malicious URLs via emails disguised as business communications (invoices, bids).
- **Infrastructure Use:** Leveraging Cloudflare infrastructure and `.pages.dev` domains to host phishing fronts, likely for obfuscation and reputation.
### Advanced Features
- **Redirection Chains:** Employing a sequence of redirects (from the initial email link to a fake OpenGov site) before presenting the final phishing page.
- **CAPTCHA Integration:** The use of CAPTCHA challenges is noted, likely employed to block automated scanning and analysis tools, and potentially to filter out non-target traffic.
- **Potential 2FA Evasion:** The mention of a match with the **Rockstar2FA kit** strongly suggests the capability to intercept or prompt for multi-factor authentication codes being entered by the victim in a session.
## Indicators of Compromise
The provided IOCs are primarily network-based indicators for the active phishing infrastructure.
- File Hashes: Not provided in the context.
- File Names: Not provided (as this is a web-based attack).
- Registry Keys: Not applicable (purely web-based attack).
- Network Indicators:
- `trinoxbu[.]com[.]de`
- `modiraor[.]msk[.]su`
- `orao-eng[.]pages[.]dev`
- `a1-delivery[.]pages[.]dev`
- `albanypump[.]pages[.]dev`
- `aztecsupply[.]pages[.]dev`
- `sopainc[.]pages[.]dev`
- `avenuebooking[.]pages[.]dev`
- `groupeetr[.]pages[.]dev`
- `supplyservices[.]pages[.]dev` (multiple instances)
- `tenaquip[.]pages[.]dev`
- `apresfurniture[.]pages[.]dev`
- `emercom[.]pages[.]dev` (multiple instances)
- `rmsme[.]pages[.]dev`
- `wilsongroup[.]pages[.]dev`
- `thinkconfluence[.]pages[.]dev`
- `pmi-group[.]pages[.]dev`
- `essemgroup[.]pages[.]dev`
- `tarpmakers[.]pages[.]dev`
- `mountmetalcraft[.]pages[.]dev`
- `trapenliftservice[.]pages[.]dev`
- `apexa-bid[.]pages[.]dev`
- `csshl-gouv[.]pages[.]dev`
- `mtlpropane[.]pages[.]dev` (multiple instances)
- `kza-qc-ca[.]pages[.]dev`
- `cssob-gouv[.]pages[.]dev` (multiple instances)
- `csshl-gouv-qc[.]pages[.]dev` (multiple instances)
- `groupeabs[.]pages[.]dev`
- `minotaurquebec[.]pages[.]dev`
- `transitionquebec[.]pages[.]dev`
- Behavioral Indicators: HTTP transaction flows indicating redirection sequences leading to the credential harvesting page; observed use of Cloudflare infrastructure for hosting.
## Associated Threat Actors
The article does not explicitly name a threat actor, but the mention of the **Rockstar2FA kit** suggests association with actors known to utilize this specific, often sophisticated, phishing framework.
## Detection Methods
- Signature-based detection: Blocklist known malicious domains and URLs listed above.
- Behavioral detection: Monitoring for URL redirection chains that pass through multiple temporary/obscured domains before presenting a known sensitive login page (like MS login or M365).
- YARA rules: Not provided, but rules targeting HTML/JavaScript unique to phishing kits or known Rockstar2FA markers could be developed.
- Specific Alerting: Alerting on credentials submitted to non-official Microsoft domains, particularly those utilizing `pages.dev`.
## Mitigation Strategies
- Prevention measures: Implement robust email filtering that scans URLs for known phishing patterns and checks against threat intelligence feeds.
- Hardening recommendations: Enforce Multi-Factor Authentication (MFA) universally, utilizing hardware keys or authenticator apps over SMS where possible. Users should be trained to verify the URL domain *before* entering credentials, even if the page looks legitimate. Disable link following for unknown senders.
## Related Tools/Techniques
- Rockstar2FA Kit: Explicitly mentioned as a potential match, implying similar logic for multi-factor code interception.
- Other Phishing Kits: General phishing frameworks used for credential harvesting (e.g., EvilGinx2, Modlishka).
- Cloudflare Abuse: Techniques relying on leveraging legitimate public services (like Cloudflare Pages, GitHub Pages) for incident response evasion.