Overview of microsoft phishing campaign

A large-scale phishing campaign was disclosed by ThreatLabz this week. The researchers observed the use of advanced phishing kits in a large campaign primarily targeting corporate enterprise users of Microsoft email servers.  

The threat actors behind the campaign have not been identified, but researchers observed the attackers using an adversary-in-the middle attack technique (AiTM) that’s capable of bypassing multi-factor authentication. This kind of attack helps complete the authentication process with the mail provider’s server. By acting as a AiTM proxy, the attacker is able to relay all communication back-and-forth between the victim and the mail provider.  

Also, the attackers were seen using multiple evasion techniques in various stages of their attack. The evasion techniques were designed to bypass email and network security solutions.  

The threat actors were seen attacking the following industries: FinTech, Insurance, Energy, Lending, and Manufacturing. The geographical regions of the attacks include the U.K, New Zealand, the U.S, and Australia.  

Some of the domains registered by the attackers included keywords related to “password expiry” or “password reset”. The attackers also used typosquatted versions of domains belonging to legitimate industries, such as Federal Credit Unions in the U.S. For some victims, the malicious links in the emails were either present inside the HTML file attached to the email or they were in the body of the email.  

Once victims click on malicious links, they are redirected to a phishing page where their credentials will be stolen and used to breach corporate accounts. Researchers believe that the attackers divert payments to controlled bank accounts via the falsified documents.  

To bypass automated URL analysis systems, the threat actors use various cloaking and browser fingerprinting techniques. They’ve also been observed abusing legitimate online code editing services like CodeSandbox to increase the shelf life of the phishing campaign.  

Business Email Compromise (BEC) can have a devastating impact on enterprises. While multi-factor authentication is a valid layer of security, it should not be your only security. The threat actors behind this particular attack have figured out a way to bypass multi-factor authentication and traditional security solutions with the use of advanced phishing kits. It’s important for organizations to properly train their employees on when they should and should not open attachments or click on links in emails from unknown sources.  

 

 

How Avertium is Protecting Our Customers:

  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a phishing attack.
     
  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is great than the sum of its parts. 
  • Avertium offers user awareness training through KnowBe4. The service also  Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks 

 

 

Avertium's recommendations

Employees should be trained on how to spot a phishing email and the importance of not clicking on links or attachments from unknown or untrusted sources. Your organization should be confident that staff will not fall for clever phishing campaigns.  
  •  



 INDICATOR'S OF COMPROMISE (IOCS):

Because the list of IoC’s is so exhaustive, we ask that you click on the following link to see a complete list: Microsoft Phishing IoCs 




 

Supporting documentation

iocs/iocs.txt at main · threatlabz/iocs · GitHub 

Large-Scale AiTM Attack targeting enterprise users of Microsoft email services | Zscaler 

Microsoft accounts targeted with new MFA-bypassing phishing kit (bleepingcomputer.com) 

 

 

 

 

Related Reading: Ransomware vs. Phishing vs. Malware (What's the Difference?)

 

Contact us for more information about Avertium’s managed security service capabilities.