0utl00k

By Robert Falcone. Category: Unit Tags: DarkHydrus 0utl00k, Phishery. Last week, 0utl00k, Unit 42 released a blog on a newly named threat group called DarkHydrus that we observed targeting government entities in the Middle East.

Stay on top of your inbox, manage your meeting follow-ups, and create impactful communication in a fraction of the time. Send, receive, and manage your email. When we collect data, we use it to benefit you and make your experience better. Protection delivered by the same tools Microsoft uses for business customers. Automatic deactivation of unsafe links containing phishing scams, viruses, or malware.

0utl00k

.

Figure 5.

.

Stay on top of your inbox, manage your meeting follow-ups, and create impactful communication in a fraction of the time. Send, receive, and manage your email. When we collect data, we use it to benefit you and make your experience better. Protection delivered by the same tools Microsoft uses for business customers. Automatic deactivation of unsafe links containing phishing scams, viruses, or malware. Ransomware detection and recovery for your important files in OneDrive. Collaborating is easy with Word, PowerPoint, and Excel. You can chat in real time with Skype—right from your Outlook account. A Microsoft subscription includes premium Outlook features like an ad-free interface, enhanced security, the full desktop version of Office apps, and 1 TB of cloud storage. Everything you need to be your most productive and connected self—at home, on the go, and everywhere in between.

0utl00k

If you can't sign in to your Outlook. Note: Check the Don't show this again box if you want to go straight to Outlook. Microsoft always keeps an eye out for unusual sign-in activity, just in case someone else is trying to get into your account. If you're travelling to a new place or using a new device, we might ask you to confirm that it really is you. Read How to access Outlook.

Molar mass libr

A Lite option for low-resource phones or networks Get the essentials of Outlook in a fast app with a small download size. Collaborating is easy with Word, PowerPoint, and Excel. DarkHydrus also created their C2 domain carefully in an attempt to further trick the targeted user to enter their credentials. When we collect data, we use it to benefit you and make your experience better. Try premium. These attacks were targeting government entities and educational institutions in the Middle East. Based on this, we can reasonably presume this group will continue to carry out attacks against these kinds of targets in the Middle East in the near-future. Create free account. Stay on top of your day Prioritize your tasks with Microsoft To Do. Figure 2. We were unable to find the displayed document via open source research, which may suggest that the actor gathered this password handover form from a prior operation. Data encryption in your mailbox and after email is sent. By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Additional DarkHydrus Word documents used to steal credentials.

Microsoft Outlook Microsoft Corporation. Contains ads In-app purchases. Everyone info.

A phishing attack to steal credentials like this is not new: US-CERT warned of the same technique by a different threat group in Automatic deactivation of unsafe links containing phishing scams, viruses, or malware. Collaborating is easy with Word, PowerPoint, and Excel. Based on this, we can reasonably presume this group will continue to carry out attacks against these kinds of targets in the Middle East in the near-future. Conclusion DarkHydrus is a threat group carrying out attack campaigns targeting organizations in the Middle East. We were able to replicate the remote template path seen in Figure 4 by using Phishery to create a weaponized delivery document. It also appears that this an ongoing campaign, as we have evidence of previous credential harvesting attempts using the same infrastructure dating back to the Fall of Password handover form displayed after credential theft The infrastructure used in these credential harvesting attacks used the domain 0utl00k[. We found two additional Word documents using the 0utl00k[. Please mark, I'm not a robot! Ransomware detection and recovery for your important files in OneDrive. Try premium. Unlike the June document that displayed no content after credential theft, both of these documents displayed content that appears pertinent to the targeted organization. On the C2 server, we observed Phishery receiving the inbound request and capturing the credentials, as seen in Figure 7.