March 27, 2023

Microsoft has elaborated about a large-scale phishing campaign that leverages stolen credentials to register devices on a target’s network to extend the attack to other enterprises.

The attack exploits the BYOD process by registering a device using freshly stolen credentials, the second stage of the campaign observed by Microsoft was successful against victims that did not implement MFA.

Advertisements

The first phase of the campaign involved stealing credentials in target organizations, most of them located in Australia, Singapore, Indonesia, and Thailand. In the second phase, these credentials were used to expand the attackers’ foothold within the organization “via lateral phishing as well as beyond the network via outbound spam.”

The attack initiated with a DocuSign-branded phishing lure containing a link. Once the link is clicked, the recipient is redirected to a rogue website masquerading as the login page for Office 365 to steal the credentials.

Advertisements

The campaign employed a set of phishing domains registered under .xyz top-level domain belowthe regular expression syntax shared by Microsoft. The link is unique to each email.

UrlDomain matches regex @”^[a-z]{5}\.ar[a-z]{4,5}\.xyz”

An inbox rule to prevent detection.

Mailbox rule nameConditionActionSpam Filter SubjectOrBodyContainsWords: “junk;spam;phishing;hacked;password;with you” DeleteMessage, MarkAsRead

In the second phase, threat actors exploited the lack of MFA to join a device to its Azure Active Directory instance.

Oncr the device registered, it’s recognized as part of the domain with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers. By removing enough of these suspicious message elements, the attacker thereby significantly expanded the success of the phishing campaign.The attackers leveraged the targeted user’s compromised mailbox to send malicious messages to over 8,500 users, both in and outside of the victim organization. The emails used a SharePoint sharing invitation lure as the message body in an attempt to convince recipients that the ‘Payment.pdf’ file being shared was legitimate.

Microsoft Statement
Advertisements

The recommendations to defend against these types of multi-staged phishing campaigns, are enabling MFA, adopting good credential hygiene, and implementing network segmentation.

Tags:

Leave a Reply

You may have missed

Okta Credentials Exposed via Post Exploitation Attack

Okta Credentials Exposed via Post Exploitation Attack

March 27, 2023
Dark Power Ransomware Dissection

Dark Power Ransomware Dissection

March 26, 2023
CatB Ransomware Dissection

CatB Ransomware Dissection

March 26, 2023
Microsoft Patches Acropalypse Vulnerability

Microsoft Patches Acropalypse Vulnerability

March 26, 2023
TheCyberThrone Security Week In Review – March 25th, 2023

TheCyberThrone Security Week In Review – March 25th, 2023

March 26, 2023
ChatGPT for Google- Harvest Facebook Accounts

ChatGPT for Google- Harvest Facebook Accounts

March 26, 2023
%d bloggers like this: