Microsoft analysts have discovered and warned of a large-scale, multi-stage phishing attack that uses stolen credentials to register a device on a target’s network and then uses that device to deliver phishing emails
In addition to traditional phishing methods, this attack uses a new technique in which an attacker connects an attacker-controlled device to an organization’s network to further expand the attack. The second phase of this attack has been found to be successful against victims who have not implemented multi-factor authentication (MFA), a key pillar of identity security; if you don’t have MFA, you can use the concept of Bring-Your-Own-Device (BYOD) to steal. If you don’t have MFA in place, you can use the BYOD (Bring-Your-Own-Device) concept to enroll your device using the credentials you just stole.
According to the report, the attack only occurred through accounts that did not have multi-factor authentication (MFA) protection, which made it easier to hijack
The attack was carried out in two phases, with the first phase stealing recipients’ email credentials and luring them with DocuSign-themed emails that prompted them to verify and sign documents.
The embedded link directs the victim to a phishing URL that mimics the Office 365 login page and pre-populates the victim’s username for authenticity.
Target weak security points
According to Microsoft’s measurement data, the first phase of the attack focused primarily on companies located in Australia, Singapore, Indonesia and Thailand.
The attackers attempted to compromise remote employees, poorly protected managed service points, and other infrastructure that may have been operating outside the scope of strict security policies.
Microsoft analysts discovered this threat by detecting the anomalous creation of an inbox rule. These rules are added shortly after an attacker gains control of the inbox to eliminate suspicious IT notification messages.
The attacker uses a remote PowerShell connection to implement an inbox rule with the New-InboxRule cmdlet to delete specific messages based on keywords in the subject or body of the email message. This inbox rule allowed attackers to remove email undeliverable reports and IT notification emails that may have been sent to compromised users, thereby preventing them from raising suspicion of compromised users.
Subsequent investigation revealed that more than 100 mailboxes in multiple organizations had been compromised with a malicious mailbox rule named “Spam Filter”.
Azure AD registration
After obtaining the credentials, the attacker installs Outlook on his machine (Windows 10) and logs into the user’s email account. This action automatically connects and registers the attacker’s device to the company’s Azure Active Directory
Microsoft adds that even if the credentials were stolen, Azure AD’s MFA policy would not have allowed the unauthorized registration.
Once the attacker’s device is added to the target organization’s network, the attack proceeds to the second phase, sending emails to the targeted company’s employees and external targets such as contractors, suppliers and partners.
Because these messages are coming from a trusted workspace, they will not be flagged by security solutions, increasing the likelihood of a successful attack
We also anticipate that registering rogue devices will result in the application of policies that facilitate lateral phishing
Azure AD triggers an activity timestamp when a device attempts to authenticate, which is when defenders discover suspicious registrations
If this registration goes unnoticed, the attacker can use the stolen valid credentials to send messages in Outlook from a recognized trusted part of the domain.
We found that the second wave of phishing messages was much larger than the first, with more than 8,500 SharePoint-themed emails sent with “Payment.pdf” attached.
Although this phishing attack was sophisticated and moderately successful, it would not have been as effective if the targeted companies had taken the following measures.
- All employees had MFA enabled on their Office 365 accounts.
- Implement an endpoint protection solution that can detect the creation of inbox rules.
- Azure AD device registrations are being closely monitored.
- MFA is required to register to Azure AD.
Comments