ThreatConnect Research Roundup: Microsoft-Spoofing Domains

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

In this edition, we cover:

  • Microsoft-Spoofing Domains
  • Probable Konni Domains
  • .ics Calendar Phishing
  • Lucifer Cryptojacking/DDoS
  • DarkCrewBot
  • Emotet
  • WastedLocker

Roundup Highlight: Microsoft-Spoofing Domains

20200624A: Microsoft Spoofing Domains Registered Through Google and Hosted on a DigitalOcean IP


Our highlight in this Roundup is Incident 20200624A: Microsoft Spoofing Domains Registered Through Google and Hosted on a DigitalOcean IP. On June 24 2020, ThreatConnect Research identified three Microsoft-spoofing domains that were registered through Google on June 16 and 17 2020 and are or were hosted on a probable dedicated server at DigitalOcean IP addresses.

The identified domains and their hosting IPs include the following:

login-onmicrosoft[.]online (206.189.72[.]134)

login-onmicrosoftonline[.]com (159.203.57[.]75)

login-onmicrosoft[.]com (prev. 142.93.145[.]248)

Per, as of June 24 2020, login-onmicrosoft[.]online redirects to a Microsoft Online login URL. The login-onmicrosoftonline[.]com domain redirects to a legitimate Microsoft domain.

These domains are possibly related to a series of similar registrations through Google that are captured in associated Incidents in ThreatConnect.


ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.


Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).




To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.


ThreatConnect Research Team
About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.