Post AsUiI1XqqSNETpRX3A by chort@infosec.exchange
 (DIR) More posts by chort@infosec.exchange
 (DIR) Post #AsUiI1XqqSNETpRX3A by chort@infosec.exchange
       2025-03-27T22:36:11Z
       
       0 likes, 1 repeats
       
       I guess some threat actor has figured out how to abuse forms on various platforms, like Hubspot and Microsoft(!?!) to send invoice phishing.On Hubspot the real destination URL seems to be hidden until you click submit. At least on Microsoft (customervoice.microsoft.com) it's visible in the form code (although the actor has whited-out the warning not to enter credentials, lmao).Just absolutely blows my mind that Microsoft allows any way at all to put user-supplied content on a microsoft.com sub-domain. What absolute brain-genius built that site?
       
 (DIR) Post #AsUiI6lVR7Gcfcs0Wm by chort@infosec.exchange
       2025-03-27T22:37:25Z
       
       0 likes, 0 repeats
       
       So any way, better check your DNS/proxy logs to see if you have traffic to customervoice.microsoft.com. It's probably not a good thing.Edit: The domain I pulled out of the Microsoft site was registered last month through Publicdomainregistry.com and it doesn't have registration privacy. LMAO, looks like the threat actor (or someone working for them) is in Pakistan.Edit 2: The actual phishing page is protected by Cloudflare, because of course it is.