Shiny new Azure login attracts shiny new phishing attacks

Admins working with Microsoft Azure beware: phishers are updating their assets to reflect changes on the company’s cloud-based login screen.

Microsoft announced the innocuous change to its Azure AD login screen on 26 February, rolling it out in the first week of April. The previous screen featured a login box against a full-frame photograph in the background. In the new version, Microsoft replaced the photograph with plain colours, reducing its size by 99%. That’ll save network bandwidth and reduce page loading times, said executives at the time. Even though users may cache static page assets locally, they’ll still reload them eventually, and every little helps.

Online ne’er-do-wells work quickly, though, and it didn’t take long for phishing scammers to catch on. The company said in a tweet that it had seen multiple sites using the new background in a bid to lure Azure AD users into giving up their account info:

Office 365 ATP data shows that attackers have started to spoof the new Azure AD sign-in page in multiple phishing campaigns. We have so far seen several dozens of phishing sites used in these campaigns. pic.twitter.com/R8axe6Tgok

— Microsoft Security Intelligence (@MsftSecIntel) May 14, 2020

Azure AD is the cloud-based version of the on-premises Active Directory system that holds user authentication and access privilege data. The cloud version is the single sign-on gateway to a range of online applications, including Microsoft’s own cloud services, along with third party apps. As such, it’s the holy grail for phishing scammers who could gain access to lots of enterprise accounts in the cloud if they mount a convincing attack.