While Office 365 is one of the most prevalent office suites out in the market today, its users can’t rest easy. Cybercriminals and threat actors will always find ways to abuse the most popular brands in various ways.

Office 365 has hundreds of millions of active users, and this userbase can make it a pretty lucrative target for many kinds of cyber attackers. In fact, over the past few months, the suite has been abused in several attacks, including:

• A business email compromise (BEC) campaign in March 2021
• A spate of phishing attacks also in March 2021
• A compromise that likely led to a network-wide ransomware infection in April 2021

There are tons of other events, of course, over the years since its launch, including vulnerability exploitation and other cyber attacks. In the realm of cybersecurity, we know that prevention is better than cure where possible. So we sought to provide Office 365 users a list of domains, subdomains, and IP addresses that they may do well to steer clear of in light of the many attacks that may be targeting them.

Office 365 Threat Artifacts Obtained from Domain and IP Intelligence Tools

To obtain an initial sample that we then analyzed to build an exhaustive list of artifacts, we looked for domains and subdomains containing the strings “office 365” and “o365” from 1 June 2021 alone. Our initial list gave us:

• 1,350 Office 365 domains
• 3,856 Office 365 subdomains

To see how many of these domains and subdomains could be publicly attributed to Microsoft, we removed duplicates from the sample. A bulk WHOIS lookup gave us active WHOIS records for 656 domains and a very small percentage (5%) were most likely legitimate based on shared registrant details (i.e., they are the same as those indicated in microsoft[.[com’s WHOIS record). Very few of them were owned by identifiable individuals or companies, apart from Microsoft.

Subjecting 10% of the total sample (i.e., domains and subdomains) to malware database checks showed that:

• 17% were tagged “suspicious” on VirusTotal
• 6% were dubbed “malicious”

Examples of the suspicious domains/subdomains include:

• office365[.]pe
• office365[.]sv
• xn—ffice365-x80d[.]ml
• office365[.]by
• xn—ffice365-33a[.]com
• office365[.]veifield[.]info
• office365[.]atentivo[.]com[.]br
• office365[.]eduedu[.]cf
• office365[.]o2c[.]lu
• office365[.]suppports[.]com

The following, meanwhile, are examples of those classified as malicious:

• office365[.]cx
• office365[.]pw
• office365[.]ws
• office365[.]ceo
• office365v[.]de
• office365[.]komcanto[.]gq
• office365[.]wanimt[.]xyz
• office365[.]jugueterya[.]cl
• office365[.]center-supports[.]com
• office365[.]wreemi[.]xyz

DNS lookups revealed that the 656 domains resolved to 1,414 IP addresses. Querying 10% of these on a malware database revealed that 24% were tagged “malicious” while 2% were dubbed “suspicious.”

Examples of the malicious and suspicious IP addresses are:

• 185[.]165[.]123[.]36
• 64[.]70[.]19[.]203
• 40[.]112[.]72[.]205
• 40[.]113[.]200[.]201
• 67[.]199[.]248[.]12
• 67[.]199[.]248[.]13
• 199[.]59[.]242[.]153
• 34[.]98[.]99[.]30
• 5[.]79[.]79[.]211
• 81[.]17[.]18[.]197

Passive DNS checks on the IP addresses via reverse IP/DNS queries gave us a list of 3,911 additional unique domains and subdomains. Note that the number of connected domains and/or subdomains per IP address was limited to five.

Malware database checks for these domains and subdomains revealed that some were tagged “malicious” and “suspicious” on VirusTotal, including:

• 0-1kirei[.]ric[.]mixh[.]jp
• 0-24life[.]hhatta[.]mixh[.]jp
• 0[.]2l[.]nu
• 00-01[.]info
• 000-255255255[.]com
• 0-bankinghuntington[.]serveirc[.]com
• 0-online-secure-0-update-server[.]cloudns[.]cl
• 0-online01-bsecurechase[.]cloudns[.]cl
• 00[.]ns02[.]info
• 0000-1[.]com

There may be a lot more as we were only able to screen a few of the resulting connected domains and subdomains.

Given our findings and the list of artifacts that we acquired, Office 365 users, individuals and companies alike, need to be wary of the suspicious domains, subdomains, and IP addresses and block access to and from those that are malicious. A lot of these could figure in phishing attacks spoofing Office 365 or worse.

If you want to get a copy of the Office 365 threat artifacts we collated to enhance your network protection or want to start your own investigation, please contact us.