Light Dark
August 19, 2019 By David Bisson 2 min read

Fraudsters are launching phishing attacks that use custom 404 pages to steal users’ Microsoft login credentials.

As reported by Bleeping Computer, the Microsoft security researchers who analyzed the phishing attacks observed that digital fraudsters had registered a domain and configured a 404 error page to display a fake Microsoft login form designed to look exactly like Microsoft’s official login page. Threat actors lifted various links from Microsoft’s official page, including those used to create a new account and to sign in to an existing record, and included them in their fake portal.

By configuring a 404 error page instead of creating a single landing page, the phishers afforded themselves and their campaigns a significant degree of flexibility. Microsoft’s analysts noted that these fraudsters can essentially pair their domain with an infinite number of phishing landing pages. The researchers also observed attackers randomizing their domains, which further increased the number of phishing URL possibilities available to them going forward.

Phishers’ Ongoing Use of Fake 404 Pages

This isn’t the first time that phishers have used fake 404 pages to realize their malicious intentions. Back in 2016, for instance, Sucuri came across one campaign that redirected those coming from a security service to a 404 error page to protect their attacks. Two years later, Bleeping Computer discovered that attackers were using login pages disguised as HTTP error pages to access a web shell and issue commands on the server.

More recently, in February 2019, Sucuri spotted attackers using fake 404 error pages and reCAPTCHA elements as part of their efforts to distribute banking malware.

How to Defend Against Phishing Attacks

Security professionals can bolster their defenses against phishing attacks by investing in a security awareness program that teaches employees look out for suspicious links, malicious email attachments and other phishing-related techniques. Organizations should also adopt a layered approach to email security in which they verify that their perimeter protection systems have spam detection services.

 |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

April 22, 2024

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

April 18, 2024

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature