'Microsoft 360 Security Warning' Pop-Ups

The 'Microsoft 360 Security Warning' pop-up messages are examples of phishing notifications that are generated from misleading domains like Secure[.]ms43ddl[.]download and Secure[.]ms43ddl[.]date. The 'Microsoft 360 Security Warning' pop-ups may include logos from the official computer support page by Microsoft Corp. found at Support.microsoft.com to claim credibility. Also, the 'Microsoft 360 Security Warning' pop-ups may be shown on a background that looks like an opened Google Chrome window. That is a simple trick intended to fool users into thinking that their browser has loaded a security alert, which needs your immediate attention. Also, the pages that host the 'Microsoft 360 Security Warning' pop-ups are likely to feature a script that forces the browser to keep the page loaded in full-screen mode. We have seen the 'Microsoft 360 Security Warning' pop-ups display the following text:

'Microsoft 360 Security Warning**
Virus TrojanNile9 exploits your stored passwords &
corrupt all the files in your C Drive!
System : Windows
Attention: Windows Defender has found 18 files corrupted
by TrojanNile9. If you do not update now, your Windows will
perform automatic system restore in 85 seconds.
Required Immediately: Click on the "Update" button
below to save all your files in C drive

PC users who load domains like Secure[.]ms43ddl[.]download and Secure[.]ms43ddl[.]date and experience the 'Microsoft 360 Security Warning' messages should remain calm and terminate their browser using the Task Manager. The Task Manager can be launched by pressing Ctrl+Alt+Del on the keyboard simultaneously. Do not download the software promoted with the 'Microsoft 360 Security Warning' pop-ups and don't click the 'Update' button. Researchers have found that the people behind the 'Microsoft 360 Security Warning' tactic are using several IP addresses to publish phishing pages and trick users into installing a remote desktop client on their computers. We have found that the 'Microsoft 360 Security Warning' messages are produced by pages hosted on the 52.219.74.58, the 52.219.73.54, the 52.219.74.27 and the 52.219.72.50 IP address. Most of the domains associated with the 'Microsoft 360 Security Warning' tactic feature keywords like 'secure download,' 'pc,' 'fix,' 'repair,' 'microsoft support,' 'central,' 'exploit detected,' 'corrupt files' and 'error message' in their names. For example:

pc-fix-1008a49feif3042[.]com.s3-website[.]eu-central-1.amazonaws.com
pc[.]error122733441235ausmsauthcombof7666[.]com.s3-website.eu-central-1.amazonaws.com
support[.]microsoft83060yesmsffs6176[.]com.s3-website.eu-central-1.amazonaws.com/?mid=176
support[.]microsoft9100yfrmsrbchs9670[.]com.s3-website.eu-central-1.amazonaws.com/?cid=

It is recommended to seek help from official Windows services providers at Support.microsoft.com and certified computer support agencies. The 'Microsoft 360 Security Warning' domains are not affiliated with legitimate repair services, and you may wish to report related pages to your browser vendor. AV companies and browser-based security extensions may block domains like Secure[.]ms43ddl[.]download from loading and generate notifications that include the following detection names:

• BehavesLike.HTML.Ramnit.lg
• HTML.Trojan-Ransom.TechSupportScam.I
• HTML/FakeAlert.MD
• HTML/Infected.WebPage.Gen2
• JS.Z.Agent.77931.G
• JS:FakeAlert-J [Trj]
• JS:Trojan.Cryxos.1294
• SupportScam:JS/TechBrolo!rfn
• Suspicious_GEN.F47V0831
• TrojWare.JS.FakeAlert.MD
• Trojan.GenericKD.30656589
• Trojan.Html.Blocker.eizygn
• Win32.Trojan.Cryxos.Fsa
• Win32/Trojan.91c