Fake Microsoft Support Site Distributes Credential‑Stealing Malware to French Users
What Happened — Attackers registered the typosquatted domain microsoft‑update.support and hosted a French‑language page that mimics an official Windows cumulative update. The page delivers an MSI installer that drops an Electron‑based payload designed to harvest passwords, payment details, and other account credentials.
Why It Matters for TPRM —
- Credential‑stealing malware can be used to compromise downstream SaaS accounts, cloud services, and VPNs that third‑party vendors rely on.
- The campaign leverages large French data‑breach dumps, showing how leaked third‑party data can be weaponised against supply‑chain partners.
- Typosquatting and spoofed file metadata bypass many traditional endpoint controls, increasing the risk of silent compromise.
Who Is Affected — Consumers and employees in France; any organization with French‑speaking users or remote workers who may follow the bogus update link.
Recommended Actions —
- Instruct all users to verify Microsoft update URLs and to download updates only via Windows Update or the official Microsoft website.
- Deploy URL‑filtering or DNS‑sinkhole rules for known typosquatted domains (
*.support). - Ensure endpoint protection can inspect MSI installers and flag spoofed metadata.
- Review privileged account credentials for reuse and enforce MFA on all third‑party services.
Technical Notes — The malicious MSI (WindowsUpdate 1.0.0.msi, 83 MB) is built with the legitimate WiX Toolset, then installs an Electron app that runs hidden JavaScript to capture keystrokes and browser cookies. The campaign relies on phishing via a typosquatted domain and leverages previously leaked French personal data to increase credibility. Source: Malwarebytes Labs