Analysts from Zscaler’s cybersecurity research team have discovered a new large-scale phishing campaign targeting Microsoft email users. Corporate users, specifically end users in Enterprise environments who use Microsoft email services, are the campaign’s primary target audience.
Attackers use Adversary-in-the-Middle (AiTM) techniques to circumvent multi-factor authentication (MFA) safeguards. In early July, Microsoft disclosed information about a similar attack. Microsoft described an attack that targeted over 10,000 organisations and bypassed MFA protections using AiTM techniques.
According to the Microsoft Report: “A large-scale phishing campaign used [AiTM] phishing sites to steal passwords, hijack a user’s sign-in session, and bypass authentication even when [MFA] was enabled. The attackers then used the stolen credentials and session cookies to gain access to the mailboxes of the affected users and launch subsequent BEC campaigns against other targets.”
Zscaler describes the new attack as “highly sophisticated”, saying, “It makes use of an [AiTM] attack technique capable of circumventing multi-factor authentication [as well as] multiple evasion techniques used in various stages of the attack designed to circumvent conventional email security and network security solutions.”
The malicious campaign is primarily targeting businesses in the United States, the United Kingdom, New Zealand and Australia. FinTech, lending, finance, insurance, accounting, energy, and federal credit unions are the primary industries.
The attack begins with phishing emails sent to Microsoft email addresses. Everything hinges on how users react to these phishing emails. Malicious emails, as well as HTML attachments containing the link, may contain a direct link to a phishing domain. In any case, the user must activate the link for the infection chain to begin.
Similarly, to the earlier phishing campaign described by Microsoft, phishing emails in the uncovered campaign entice users with a variety of topics. One email stated that an invoice needed to be reviewed, while another stated that a new document needed to be viewed online.
The campaign employs several redirection techniques. For example, in the campaign, it “rapidly created new code pages, pasted into them a redirect code with the latest phishing site’s URL, and proceeded to email the link to the hosted redirect code to victims en masse.”
The phishing sites used fingerprinting techniques to determine whether a page visitor was a targeted victim of the campaign or not. According to Zscaler, this is done to make access to phishing sites more difficult for security researchers.
To connect the user’s device to the target service, AiTM phishing attacks use proxy servers. They manipulate and regulate data flow. Finally, it is grabbing session cookies generated during the process to allow access to the email service without having to sign in again or using MFA to complete the sign-in process.
Phishing campaigns are becoming more sophisticated, but they all share one feature: they all require user interaction. The vast majority of users are unable to analyse emails in order to determine whether they are from a legitimate sender.
While Microsoft 365 Defender can detect these sophisticated phishing techniques, an organisation can add another layer of security to its website by combining multifactor authentication with custom conditional access policies that look for identity markers such as IP location, device status, and group membership.
It is also recommended that additional security solutions for AiTM attacks be included. “Invest in advanced anti-phishing solutions that monitor and scan incoming emails and visited Web sites,” according to the report. “Businesses, for example, can use web browsers that detect and block malicious websites, such as those used in this phishing campaign.”
Finally, educating end users on how to detect these phishing attempts will aid in lowering their success rate. “Watch for suspicious sign-in attempts (for example, location, ISP, user agent, or use of anonymizer services),” Microsoft advised.
Related: Technology resilience essential