Forum Discussion
Connection to adversary-in-the-middle (AiTM) phishing site - sropq.com
Hello all,
I have a strange Defender alert.
User is opening SharePoint/OneDrive on a terminal server (RDP connection) with Mozilla Firefox and the event below appears.
Mozilla Firefox is stock and other users do not create this kind of alert.
There is no visible Add-on installed, which could cause this issue.
I cannot find any information about sropq.com
Connection to adversary-in-the-middle (AiTM) phishing site
sropq.com
188.114.96.4
firefox.exe (PID: 31868)
firefox.exe (PID: 7788)
188.114.97.4
3 Replies
Hello ENVRobin,
domain is definitely malicious and has been reported as phishing. You may find plenty of artifacts associated here:
- VirusTotal - Domain - sropq.com
- Automated Malware Analysis Report for https://109726.io.directiq15.com/hit?sid=l80v9qcq1yrryt1d6d&linkid=5&link=a115381325df4e1592cb4886f939efd5 - Generated by Joe Sandbox
- Automated Malware Analysis Report for https://109726.io.directiq15.com/hit?sid=l80v9qcq1yrryt1d6d&linkid=5&link=a115381325df4e1592cb4886f939efd5 - Generated by Joe Sandbox
You may want to check the Delivery method, I can see that Firefox has been spawned from Outlook. Could someone have opened a phishing email? It's a common practice to host suspicious files in sharepoint and then point the suspect to a malicious page luring for credentials.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
cyb3rmik3 the situation is really strange because it looks like the server is really empty and the user is not working as much with this server. So there is Outlook installed and Firefox to do sometimes a little research, but this user has its workstation/laptop to do its business.
The mail which has created an alert was SharePoint Online via direct sharing from another colleague inhouse. So technically it was Microsoft, who sent out the mail and nobody was between.
We are using Office 365 without hybrid setting, and we are also cloud only with Exchange Online and no weird third party anti spam provider and so on. So everything looks like best practise except using Office 365 on Windows Server 😉
I have now forced the user to use MS Edge and currently there is no new alert. Also opening Firefox several time with opening the shared OneDrive file has not created an alert each click. It was every 10th time I tried.
I have then cleared out Firefox cookies and cache, checked website push notifcations settings and so on, because I think there was maybe something loading in background by opening.
Hopefully this connection will never happen again 🙂
The IP address listed has some malicious detections > IPv4: 188.114.97.4 - LevelBlue - Open Threat Exchange (alienvault.com)
