From 717df77ce5857fde7fa02eab720ace799dc821a9 Mon Sep 17 00:00:00 2001
From: w00dbury <28681716+w00dbury@users.noreply.github.com>
Date: Sat, 2 Dec 2023 07:38:09 -0800
Subject: [PATCH] Create/Update Microsoft Indicators (#228)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* :rocket: New Mircosoft Phishing Kit

Detects a Microsoft phishing kit with a hardcoded MFA phone number and misspelled words.

* :sparkles: Update rxkr4n3b to escape img

on the phish.report viewer the img string has single quotes but the version in this repo does not

* :sparkles: Update microsoft-fyfcvk8e

Look for sc.php performing license checks.

* ✨Update microsoft-fyfcvk8e

Update modifier to match all requests

---------

Co-authored-by: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
---
 indicators/microsoft-fyfcvk8e.yaml | 32 ++++++++++++++++++++++++++++++
 indicators/microsoft-rxkr4n3b.yml  |  2 +-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 indicators/microsoft-fyfcvk8e.yaml

diff --git a/indicators/microsoft-fyfcvk8e.yaml b/indicators/microsoft-fyfcvk8e.yaml
new file mode 100644
index 00000000..89a5f46a
--- /dev/null
+++ b/indicators/microsoft-fyfcvk8e.yaml
@@ -0,0 +1,32 @@
+title: Microsoft Phishing Kit fyfcvk8e
+description: |
+    Detects a Microsoft phishing kit with a hardcoded MFA phone number and misspelled words.
+    The phishing kit calls sc.php to perform license validation prior to loading page content.
+
+references:
+    - https://urlscan.io/result/0f35c05b-73e0-4397-9e7e-9e3edb508d16
+    - https://urlscan.io/result/e73ca666-5a09-4c0e-949b-33a8f6ee7564
+    - https://urlscan.io/result/0ebaab43-0235-42cc-9304-153f698868d4
+    - https://urlscan.io/search/#filename%3A%22sc.php%22%20AND%20filename%3A%22jquery-3.1.1.min.js%22%20AND%20filename%3A%22crypto-js.min.js%22
+
+detection:
+
+    phone:
+      dom|contains:
+        - +X XXXXXXXX71
+    
+    browser:
+      dom|contains:
+        - THIS WORKS AS A SIGNA TURE CHANGE FOR DETECED BROWSER
+
+    licenseServer:
+      requests|contains|all:
+        - "sc.php"
+        - "jquery-3.1.1.min.js"
+        - "crypto-js.min.js"
+
+    condition: all of them
+
+tags:
+    - kit
+    - target.microsoft
diff --git a/indicators/microsoft-rxkr4n3b.yml b/indicators/microsoft-rxkr4n3b.yml
index 0f135cbf..2a44e415 100644
--- a/indicators/microsoft-rxkr4n3b.yml
+++ b/indicators/microsoft-rxkr4n3b.yml
@@ -29,7 +29,7 @@ detection:
 
     img:
       html|contains:
-        - img  style="width: 101px;" src="imagen.jpg"  alt=""
+        - 'img  style="width: 101px;" src="imagen.jpg"  alt=""'
 
     condition: all of them