Phishing attack, a largest company in Bangladesh was targeted by Threat Actor Storm 1575

Md. Mahim Bin Firoj
4 min readDec 11, 2024

--

One of my colleague send me an email as .eml format that contains the phishing mail. He requested me to analyze it and to to give him IOC’s so that they can take necessary actions because already some of their employee’s opened the malicious attachment.

Even Microsoft failed to stop this so the mail successfully bypassed the defense and land successfully on user’s inbox.

There are so many things to spot on. First of all subject line is enticing. People will think I can see the salary of my colleagues. Having this in mind they will click on the attachment. Second thing is look at the sender mail address. It’s totally unknown. 3rd, the email attachment name is very long and weird.

I have extracted the email header, analyzed the email header, had identified and blocked the sender email server and their associate ip and domain. Here is the ioc that you should also block because this threat actor is targetting Bangladesh.

IOC:

Name:    out.exch092.serverdata.net
Addresses:
64.78.27.131
64.78.27.159
199.193.207.186
199.193.207.189
199.193.207.188
64.78.27.158
199.193.207.177
199.193.207.175
64.78.27.142
199.193.207.176
199.193.207.184
199.193.207.172
199.193.207.187
64.78.27.136
64.78.27.139
64.78.27.140
199.193.207.191
64.78.27.143
199.193.207.174
199.193.207.185
199.193.207.190
199.193.207.173
64.78.27.157
64.78.27.141
64.78.27.155
64.78.27.132
64.78.27.156
64.78.27.137
64.78.27.154
64.78.27.138

Let’s open the pdf:

I have opened it in my sandbox which is Flare vm with internet connection disabled. See the link below to setup the same.

As you can see that pdf contains the QR code. Attacker adopted this technique because most of email system defense failed to detect this type of evasion.

It tells the user to open their phone and scan the QR code. You may think that it will take you to the said url. But actually not. For defensive part, block this url.

It will take you actually on this url. Block this url as well.

When you click continue, then a phishing Microsoft page will popup which will ask you to put your official email and password. Once you give that, attacker capture your credentials and redirect you to the original Microsoft login page.

At the time of my analysis attacker already took down their site. But I need to find it. So I investigated the page source. There I found a base64 code.

This is the fake site where Microsoft phishing page was hosted.

It’s very new. Only any.run flagged it and tagged the threat actor as storm 1575.

This threat actor’s previously hosted phishing traps which you can see above.

Install Sophos InterceptX in your phone to check the outgoing links for safety.

Thanks. I hope you like this write up. Please subscribe below and share it with your network.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--

No responses yet