Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New spamming technique - onmicrosoft.com

Published: 2013-10-17
Last Updated: 2013-10-18 13:47:13 UTC
by Adrien de Beaupre (Version: 2)
2 comment(s)

Spammers have long relied on bots, compromised webmail accounts, or open SMTP relays to send their dastardly payloads to our mailboxes. This new trend is a variation on the theme. The spammer sets up a vanity domain, and then send spam through it. The interesting bit here is that it is not hotmail.com or outlook.com but onmicrosoft.com being used. The format is as follows: <UserName>@<Vanity-name>.onmicrosoft.com. One reader Melvin has seen quite a few of these and asked me to write this up. To quote Melvin "So, spammers are registering *WITH* Microsoft for domain-hosting and web-hosting, and then abusing Microsoft's own mail-servers ("six-nines-availability/reliability")to distribute their spam/scam messages." <sarcasm>Awesome business plan! </sarcasm>

Is your IDS/IPS, anti-spam, or email gateway allowing these through, alerting on them, or blocking them?

Here are some samples:

Date: Wed, 16 Oct 2013 20:49:20 +0100
Subject: (none)
From: Uk National <001@tanlan.onmicrosoft.com>
Reply-To: <claimsagent845@yahoo.com.hk>

Your Email Id Have Won 1,000,000.00 GBP in Uk National Lottery ...
______________

Date: Mon, 7 Oct 2013 20:13:23 +0530
Subject: BARCLAY'S BANK
From: BARCLAY'SBANK <pp7@lines.onmicrosoft.com>
Reply-To: <barclaysbnnkplclondon@zing.vn

>
______________

Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <JackChappell@morriswatanabe.onmicrosoft.com>
______________

Date: Tue, 1 Oct 2013 18:22:23 +0100
Subject: Attn:This Is My Second Email,Please Respond
From: Ahmed Mohamed <Ahmed01@lawoffice2013.onmicrosoft.com>
Reply-To: <askahmedmhd@yahoo.co.uk>
______________

Date: Sat, 28 Sep 2013 21:35:33 +0530
Subject: Do you need A Business OR Personal Loan
From: Loan Offer <LOAN21110011@Changloan656.onmicrosoft.com>
Reply-To: <loanoff00@hotmail.com>
______________

Date: Thu, 26 Sep 2013 22:19:47 +0000
Subject: Exclusive offer, feel it for real
From: <GiuseppeArena@wabipyge.onmicrosoft.com>
______________

Date: Sat, 21 Sep 2013 04:20:00 +0530
Subject: CONTACT FEDEX COURIER SERVICE FOR YOUR FUND CONSIGNMENT BOX
From: <019@Burrows00t.onmicrosoft.com>
Reply-To: <donphilip011@gmail.com>
______________

Date: Wed, 18 Sep 2013 07:17:50 +0000
Subject: Unique product for your needs
From: <MichaelAshcroft@wabipyge.onmicrosoft.com>
______________

Date: Mon, 16 Sep 2013 17:58:25 +0530
Subject: Re
From: " Miss Zaina Abisali" <3@emailer.onmicrosoft.com>
Reply-To: <miss.zainaabisali@gmail.com>
______________


Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <JackChappell@morriswatanabe.onmicrosoft.com>
 

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

 

Keywords: spam
2 comment(s)

Microsoft phish

Published: 2013-10-17
Last Updated: 2013-10-17 22:19:09 UTC
by Adrien de Beaupre (Version: 1)
2 comment(s)

What luck! The handlers list just received a really well done phish. No awkward grammar, no typos. The URL points to the following link

hxxp://innovativeair.org/wp-info/microsoft/index.htm

From the format it would appear to be a compromised WordPress site. It has already been reported to the anti-phishing groups and the built in phishing and malware protection in Firefox detects the page as phishing. The only thing that is unusual is how well done the email is, and that it bypassed the anti-spam filter to arrive in my mailbox.

Ask yourself, would your users click?

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

Keywords: microsoft phish
2 comment(s)

Internet wide DNS scanning

Published: 2013-10-17
Last Updated: 2013-10-17 16:06:18 UTC
by Adrien de Beaupre (Version: 1)
9 comment(s)

We have received a request from a research group to let everyone know that they will be conducting Internet wide scanning of DNS servers. This is their request:

"Our team at the Network Architectures and Services Dept. (I8) of TU München, Germany, has started a DNS scan. This has similar goals as the scans that we have conducted for SSL and SSH in the past months. Once again, the purpose is purely scientific. The scanning machine is 131.159.14.42. We are querying DNS servers to resolve host names. We do not in any way try to compromise the servers. Additionally, the load caused by our activities should be very low on a single server. The idea of our queries is to get a better understanding of the inner workings of DNS, one of the most ubiquitous protocols of the Internet. We would it appreciate it very much if you added a comment in your database. Please note that we respond to every complaint and are happy to blacklist systems with annoyed admins." 

Their purpose is scientific research. Interesting, I call scanning without permission unethical, and rude. Here is what I recommend if you do not want to be part of the research, that you block all DNS requests from that IP address. They have performed similar SSH and SSL scans in the past, from different IP addresses. What do you think? Let us know via our Contact Us page or in comments below.

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

Keywords: dns scanning
9 comment(s)
ISC StormCast for Thursday, October 17th 2013 http://isc.sans.edu/podcastdetail.html?id=3608
Diary Archives