A large-scale phishing campaign was disclosed by ThreatLabz this week. The researchers observed the use of advanced phishing kits in a large campaign primarily targeting corporate enterprise users of Microsoft email servers.
The threat actors behind the campaign have not been identified, but researchers observed the attackers using an adversary-in-the middle attack technique (AiTM) that’s capable of bypassing multi-factor authentication. This kind of attack helps complete the authentication process with the mail provider’s server. By acting as a AiTM proxy, the attacker is able to relay all communication back-and-forth between the victim and the mail provider.
Also, the attackers were seen using multiple evasion techniques in various stages of their attack. The evasion techniques were designed to bypass email and network security solutions.
The threat actors were seen attacking the following industries: FinTech, Insurance, Energy, Lending, and Manufacturing. The geographical regions of the attacks include the U.K, New Zealand, the U.S, and Australia.
Some of the domains registered by the attackers included keywords related to “password expiry” or “password reset”. The attackers also used typosquatted versions of domains belonging to legitimate industries, such as Federal Credit Unions in the U.S. For some victims, the malicious links in the emails were either present inside the HTML file attached to the email or they were in the body of the email.
Once victims click on malicious links, they are redirected to a phishing page where their credentials will be stolen and used to breach corporate accounts. Researchers believe that the attackers divert payments to controlled bank accounts via the falsified documents.
To bypass automated URL analysis systems, the threat actors use various cloaking and browser fingerprinting techniques. They’ve also been observed abusing legitimate online code editing services like CodeSandbox to increase the shelf life of the phishing campaign.
Business Email Compromise (BEC) can have a devastating impact on enterprises. While multi-factor authentication is a valid layer of security, it should not be your only security. The threat actors behind this particular attack have figured out a way to bypass multi-factor authentication and traditional security solutions with the use of advanced phishing kits. It’s important for organizations to properly train their employees on when they should and should not open attachments or click on links in emails from unknown sources.
INDICATOR'S OF COMPROMISE (IOCS):
Because the list of IoC’s is so exhaustive, we ask that you click on the following link to see a complete list: Microsoft Phishing IoCs.
iocs/iocs.txt at main · threatlabz/iocs · GitHub
Large-Scale AiTM Attack targeting enterprise users of Microsoft email services | Zscaler
Microsoft accounts targeted with new MFA-bypassing phishing kit (bleepingcomputer.com)
Related Reading: Ransomware vs. Phishing vs. Malware (What's the Difference?)
Contact us for more information about Avertium’s managed security service capabilities.