Phishing Analysis 1 — MoonFruit UofT

The email was delivered from what appears to be a student mailbox since the domain is prepended by a term that is used for student emails. The email itself is not directed at the any user in particular
and does not contain any greeting message or personalization. This attempt relies on urgency as it states that existing
services will be closing on July 30th.

There is a link provided in the email itself and it is the full link rather than a word that is hyperlinked.
We see based on the link that the TLD is moonfruit.com.

Screenshot of the email

The user’s last name has been removed for privacy.

Looking at the email header, we see that no dkim or dmarc is available.

Checking mxtoolbox, we see the hostname belongs to outlook. This indicates that the service is O365.

What is moonfruit?

Moonfruit is a UK based website building company, similar to wix or squarespace. Moonfruit itself is not a malicious domain as there are many legitimate uses for such sites but allowing for easy creation of websites does allow for abuse.

Phishing Site
The site is hosted on moonfruit as evident by the URL.

Powered by MoonFruit listed on the bottom left

The site asks for details such as email address, password and utorid. Utorid is a unique ID that UofT students use to login to online services.

The url is similar to legitimate authenticate portal of UofT.

The main difference that shows this is a phishing site is the moonfruit TLD.

IOC

hXXps://updateidpz-utorauthutoronto[.]moonfruit[.]com/