Home / Industry

Uncovering Office 365-Related Artifacts with IP and Domain Intelligence

While Office 365 is one of the most prevalent office suites out in the market today, its users can’t rest easy. Cybercriminals and threat actors will always find ways to abuse the most popular brands in various ways.

Office 365 has hundreds of millions of active users, and this userbase can make it a pretty lucrative target for many kinds of cyber attackers. In fact, over the past few months, the suite has been abused in several attacks, including:

There are tons of other events, of course, over the years since its launch, including vulnerability exploitation and other cyber attacks. In the realm of cybersecurity, we know that prevention is better than cure where possible. So we sought to provide Office 365 users a list of domains, subdomains, and IP addresses that they may do well to steer clear of in light of the many attacks that may be targeting them.

Office 365 Threat Artifacts Obtained from Domain and IP Intelligence Tools

To obtain an initial sample that we then analyzed to build an exhaustive list of artifacts, we looked for domains and subdomains containing the strings “office 365” and “o365” from 1 June 2021 alone. Our initial list gave us:

  • 1,350 Office 365 domains
  • 3,856 Office 365 subdomains

To see how many of these domains and subdomains could be publicly attributed to Microsoft, we removed duplicates from the sample. A bulk WHOIS lookup gave us active WHOIS records for 656 domains and a very small percentage (5%) were most likely legitimate based on shared registrant details (i.e., they are the same as those indicated in microsoft[.[com’s WHOIS record). Very few of them were owned by identifiable individuals or companies, apart from Microsoft.

Subjecting 10% of the total sample (i.e., domains and subdomains) to malware database checks showed that:

  • 17% were tagged “suspicious” on VirusTotal
  • 6% were dubbed “malicious”

Examples of the suspicious domains/subdomains include:

  • office365[.]pe
  • office365[.]sv
  • xn—ffice365-x80d[.]ml
  • office365[.]by
  • xn—ffice365-33a[.]com
  • office365[.]veifield[.]info
  • office365[.]atentivo[.]com[.]br
  • office365[.]eduedu[.]cf
  • office365[.]o2c[.]lu
  • office365[.]suppports[.]com

The following, meanwhile, are examples of those classified as malicious:

  • office365[.]cx
  • office365[.]pw
  • office365[.]ws
  • office365[.]ceo
  • office365v[.]de
  • office365[.]komcanto[.]gq
  • office365[.]wanimt[.]xyz
  • office365[.]jugueterya[.]cl
  • office365[.]center-supports[.]com
  • office365[.]wreemi[.]xyz

DNS lookups revealed that the 656 domains resolved to 1,414 IP addresses. Querying 10% of these on a malware database revealed that 24% were tagged “malicious” while 2% were dubbed “suspicious.”

Examples of the malicious and suspicious IP addresses are:

  • 185[.]165[.]123[.]36
  • 64[.]70[.]19[.]203
  • 40[.]112[.]72[.]205
  • 40[.]113[.]200[.]201
  • 67[.]199[.]248[.]12
  • 67[.]199[.]248[.]13
  • 199[.]59[.]242[.]153
  • 34[.]98[.]99[.]30
  • 5[.]79[.]79[.]211
  • 81[.]17[.]18[.]197

Passive DNS checks on the IP addresses via reverse IP/DNS queries gave us a list of 3,911 additional unique domains and subdomains. Note that the number of connected domains and/or subdomains per IP address was limited to five.

Malware database checks for these domains and subdomains revealed that some were tagged “malicious” and “suspicious” on VirusTotal, including:

  • 0-1kirei[.]ric[.]mixh[.]jp
  • 0-24life[.]hhatta[.]mixh[.]jp
  • 0[.]2l[.]nu
  • 00-01[.]info
  • 000-255255255[.]com
  • 0-bankinghuntington[.]serveirc[.]com
  • 0-online-secure-0-update-server[.]cloudns[.]cl
  • 0-online01-bsecurechase[.]cloudns[.]cl
  • 00[.]ns02[.]info
  • 0000-1[.]com

There may be a lot more as we were only able to screen a few of the resulting connected domains and subdomains.


Given our findings and the list of artifacts that we acquired, Office 365 users, individuals and companies alike, need to be wary of the suspicious domains, subdomains, and IP addresses and block access to and from those that are malicious. A lot of these could figure in phishing attacks spoofing Office 365 or worse.

If you want to get a copy of the Office 365 threat artifacts we collated to enhance your network protection or want to start your own investigation, please contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign