cR0w   

Little phishing campaign this morning. Just some scareware type stuff hosted on windows dot net. Again. Maybe take a look at your web and / or DNS logs ( if you have them ) for something like this:

^[a-z]{8,9}\.z[0-9]{1,2}\.web\.core\.windows\.net$

And here is a list of over 900~~0~~ IPs sending the messages. They're spoofing the sender so they fail on SPF and DKIM if you're enforcing those. Also, lots of residential IPs so this is meant more for hunting rather than proactive blocking. Unless you want to block them just at the mail server.

https://blog.gayint.org/intel/phishing20260406.txt

#GAYINT

Apr 6 at 6:49pmWeb
Show threadscottley1d ago
@cR0w that TLD is all of Azure Storage static web apps
Show threadcR0w   1d ago
@scottley Yep. And I'd love to block them all but I can't.
Show threadscottley1d ago
@cR0w to this point here... you could block all hosts that are not starting with storage account names your company uses... if that is the scope of risk you want to block... you will break things if your providers are using the Azure data plane naked domains and not using custom domain names.
Show threadscottley1d ago

@cR0w the regex part is the storage account name - if you have a specific host name, that will limit noise on that check.

You can report the specific hosts to MSRC abuse report portal and they will get taken down.

https://msrc.microsoft.com/report/

Microsoft security reporting portal

Notify Microsoft about an issue of abuse or privacy originating from a Microsoft-hosted property, or infringement of your copyright or trademark.

Show threadcR0w   1d ago

@scottley Do they actually still do takedowns from non-LEOs or big industry orgs? I've heard they aren't as responsive anymore.

Also, they don't all fall into that same regex, do they? I swear I've mostly seen different hostnames in the logs before.

Show threadscottley1d ago
@cR0w I worked on the automated takedown... they are typically a free trial...
Show threadscottley1d ago

@cR0w there are different "data plane" top level domains for different Azure Services.

Azure Web Apps != Azure Static Web Apps... one is App Services (where you can write server side code) and those are [account valid name regex].azurewebsites.net and the stati Web apps are [Storage Account valid name regex].z[\d{1,2}.web.core.windows.net.

Other Azure Network and Compute stuff can end up on the TLD .core.windows.net...

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules

Naming rules and restrictions for Azure resources - Azure Resource Manager

Learn the rules and restrictions for naming Azure resources.

Show threadscottley1d ago
@cR0w I bet the IPs you listed come back as Azure Web Apps... typically these campaigns are phishing toolkits you can clone from GitHub...
Show threadcR0w   1d ago
@scottley The IPs are mostly residential ISPs based on my spot checks.
Show threadscottley1d ago
@cR0w but seriously... report abuse please... that's the right path to prevent harm.
Show threadcR0w   1d ago
@scottley Thanks for all the info. I didn't realize how different everything is in Azure, especially since I don't do much on the phishing side. They've been submitted, despite the outdated API docs. 🍻