I recently looked at some threats using phishing kits in their credential harvesting landing pages. I wanted to try to create my own, which we could also use for our landing page simulations.
I found a way to abuse a publicly available Cloudflare Workers demo to build an on-the-fly customization feature for a phishing web page. This way, the phishing email can have the target person’s email address in the phishing URL as a query parameter to customize the phishing page, matching the theme of the phishing page to the real login page.
How others do it
I started searching for links to credential harvesting pages that were still up and if the pages were hosting phishing kits and were customized depending on the inputted email domain. I was hoping to find a way the kits would fetch the logos, backgrounds, colors, and headers client-side from some Microsoft URL that I didn’t know about. Unfortunately, all the kits I looked at used compromised WordPress instances to host their backends. That meant I could not see how or where the branding was fetched.
How Microsoft does it
I started looking at how Microsoft does it and where the branding assets come from. Are there any Microsoft endpoints that would directly fetch the target organization assets based on the organization’s domain?
I went to the Microsoft login page and typed in my work email. The page would load all the assets after typing in the email address. I logged the browser’s network activity and discovered that the branding was loaded from [aadcdn.msauthimages.net]. For example, the Hoxhunt banner logo was loaded from [https://aadcdn.msftauthimages.net/c1c6b6c8-glztwfzeyj6xiy4tk2wwrywtglz4pwshhnyups3fwk4/logintenantbranding/0/bannerlogo].
That URL made it impossible to find a target organization’s assets quickly.
I needed to find a URL that would, for example, take an email address or a company domain as a query string, which I could replace and get the right branding assets straight from Microsoft.
Finding the perfect link
I decided to look for different URLs with a [login.microsoftonline.com] domain to try and find any variation that would hint at the previously mentioned possibility. Common Crawl index was the perfect place to try and find any suitable URLs.
I used [login.microsoftonline.com/common/oauth2/*] as my query on the Common Crawl index and searched the results for anything matching [.fi] to differentiate from the microsoftonline.com domain. I instantly found tons of hits for URLs containing [&domain_hint=exampledomain.fi], which looked promising.
Copying the URL, pasting it into my browser, and changing the domain in the domain_hint= query would fetch all the appropriate assets for the changed domain. Now, I had a URL on a Microsoft domain, which I could use to fetch any organization’s login assets.
Free Workers
Recently, I did a project with Cloudflare Workers. One of the Workers demo on Cloudflare’s site is a web scraper build using Workers. There’s also a live demo where you can try it out by giving it a URL and a CSS selector, and it’ll return the contents of the scraped elements in JSON format.
There’s also an option to pass the URL, selector, and other settings as query strings, which is just what we need here.
I took one of our Microsoft credential harvester HTML templates, wrote Javascript to replace the domain in the domain_hint= part of the microsoftonline.com URL, and fetched the real Microsoft login page using the public Worker demo.
After the page is fetched, it parses the asset URLs [aadcdn.msauthimages.net] from the returned JSON and appends everything to the right places on our credential harvester page. Not all organizations use every customizable asset, so it also checks which elements are customized and hides elements that don’t exist for the target organization.
After creating this, I realized that this would be an extremely good way to abuse the public Cloudflare Workers without needing to rely on compromised WordPress instances on random domains and without creating any accounts. There are some pros and cons, like the WordPress instances being bundled with a free domain to host your phishing kit, which you don’t get with the public Workers demo.
We’ll see if Cloudflare will limit or take the Workers demo down. Maybe it's already been abused like this by someone?
About the author
Pontus joined Hoxhunt in 2017 and currently works as an Offensive Security Engineer. He enjoys researching and developing attack techniques, exploits, and tools.