The Supercar Phishing Kit: A Luxurious Trap for Your Microsoft 365 Credentials
In August 2024, Fortgale’s cybersecurity researchers uncovered a phishing campaign targeting Microsoft 365 users. This discovery, dubbed the “Supercar Phishing Kit,” has introduced a new level of sophistication in phishing tactics by exploiting users’ trust in familiar services. The phishing kit, attributed to a threat actor group known as “Supercar Nebula,” has already wreaked havoc across multiple industries, especially in Italy, by targeting corporate employees through cleverly disguised emails.
The attack begins with an email designed to deceive the recipient into believing that an important document, such as an e-fax, is attached. The email subjects and content vary across campaigns, using lures like employee benefits and other work-related themes. These emails include an HTML attachment that, once opened, presents a counterfeit Microsoft 365 login page. When users submit their credentials, the sensitive data is immediately exfiltrated to luxury car-themed domains controlled by the attackers.
Fortgale’s analysis identified more than 2,900 domains linked to the Supercar Phishing Kit, all themed around luxury vehicles. These domains are part of a vast infrastructure designed to operate phishing campaigns at scale, with the luxury car theme serving as an unusual yet consistent motif. The harvested credentials are believed to be managed via control panels accessible through these domains, protected by Cloudflare’s Human Verification check.
Fortgale’s investigation suggests that the Supercar Phishing Kit is being distributed as a Phishing-as-a-Service (PaaS) model, allowing less-skilled cybercriminals to carry out attacks. This model allows anyone with access to the kit to launch sophisticated phishing campaigns, making it a widespread threat.
While the Supercar Phishing Kit poses a threat to any Microsoft 365 user, the campaign has shown a particular focus on Italian companies across various sectors. The attackers have demonstrated adaptability, modifying email themes and attachment types to evade detection and increase their chances of success.