September 30, 2023

Microsoft has elaborated about a large-scale phishing campaign that leverages stolen credentials to register devices on a target’s network to extend the attack to other enterprises.

The attack exploits the BYOD process by registering a device using freshly stolen credentials, the second stage of the campaign observed by Microsoft was successful against victims that did not implement MFA.


The first phase of the campaign involved stealing credentials in target organizations, most of them located in Australia, Singapore, Indonesia, and Thailand. In the second phase, these credentials were used to expand the attackers’ foothold within the organization “via lateral phishing as well as beyond the network via outbound spam.”

The attack initiated with a DocuSign-branded phishing lure containing a link. Once the link is clicked, the recipient is redirected to a rogue website masquerading as the login page for Office 365 to steal the credentials.


The campaign employed a set of phishing domains registered under .xyz top-level domain belowthe regular expression syntax shared by Microsoft. The link is unique to each email.

UrlDomain matches regex @”^[a-z]{5}\.ar[a-z]{4,5}\.xyz”

An inbox rule to prevent detection.

Mailbox rule nameConditionActionSpam Filter SubjectOrBodyContainsWords: “junk;spam;phishing;hacked;password;with you” DeleteMessage, MarkAsRead

In the second phase, threat actors exploited the lack of MFA to join a device to its Azure Active Directory instance.

Oncr the device registered, it’s recognized as part of the domain with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers. By removing enough of these suspicious message elements, the attacker thereby significantly expanded the success of the phishing campaign.The attackers leveraged the targeted user’s compromised mailbox to send malicious messages to over 8,500 users, both in and outside of the victim organization. The emails used a SharePoint sharing invitation lure as the message body in an attempt to convince recipients that the ‘Payment.pdf’ file being shared was legitimate.

Microsoft Statement

The recommendations to defend against these types of multi-staged phishing campaigns, are enabling MFA, adopting good credential hygiene, and implementing network segmentation.

Leave a Reply

%d bloggers like this: