Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft: 10,000 Organizations Targeted in Large-Scale Phishing Campaign

Microsoft has warned users about a large-scale phishing campaign that has been targeting over 10,000 organizations to perform follow-on business email compromise (BEC).

Microsoft has warned users about a large-scale phishing campaign that has been targeting over 10,000 organizations to perform follow-on business email compromise (BEC).

As part of the campaign, the attackers have been using adversary-in-the-middle (AiTM) phishing sites to steal credentials, and have been hijacking sign-in sessions to bypass authentication even with multifactor authentication (MFA) enabled.

AiTM is a phishing technique in which the attackers deploy a proxy webserver between the user and the site they are trying to sign in to, to intercept the user’s credentials and their session cookie, which enables the user to remain authenticated to the site.

The phishing page uses two different TLS sessions – one with the user and the other with the site the user tries to access – to intercept the authentication process and extract the targeted sensitive information.

“Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target’s MFA is enabled,” Microsoft notes.

Since September 2021, Office 365 users at over 10,000 organizations have been targeted in attacks that have been spoofing the Office online authentication page.

In one attack, the threat actor targeted multiple employees at different organizations with emails that carried an HTML file attachment, and which claimed that the recipient had a voice message.

Once the HTML file was opened, it would load in the user’s browser and display a fake download progress bar.

Instead, the victim was redirected to a phishing site, where the recipient’s email address was automatically filled out in the sign-in field, a technique meant to enhance the social engineering lure and to prevent anti-phishing solutions from accessing the page.

The webserver proxied the target organization’s Azure Active Directory (Azure AD) sign-in page, which also contained the organization’s logo where necessary.

“Once the target entered their credentials and got authenticated, they were redirected to the legitimate page. However, in the background, the attacker intercepted the said credentials and got authenticated on the user’s behalf. This allowed the attacker to perform follow-on activities—in this case, payment fraud—from within the organization,” Microsoft explains.

Follow-on payment fraud activities typically started roughly five minutes after the credential theft. The attackers used the stolen session cookie to log in to Outlook online (

In the days following the initial compromise, the adversary would access finance-related emails and file attachments and search for email threads that would allow them to perform BEC fraud. They also deleted the original phishing email from the victim’s inbox.

“These activities suggest the attacker attempted to commit payment fraud manually. They also did this in the cloud—they used Outlook Web Access (OWA) on a Chrome browser and performed the above mentioned activities while using the compromised account’s stolen session cookie,” Microsoft says.

After identifying an email thread relevant for their activities, the threat actor would create a rule to have messages from the BEC scam target sent to the archive folder, to prevent the mailbox owner from noticing the fraudulent activity.

The adversary then replied to an ongoing thread related to payments and then logged in every few hours, to check for replies from the recipient. In some cases, the attackers would communicate with the intended victim for days.

“On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets’ organization domains,” Microsoft explains.

Related: FBI Warns of ‘Reverse’ Instant Payments Phishing Schemes

Related: Phishers Add Chatbot to the Phishing Lure

Related: APT Group Using Voice Changing Software in Spear-Phishing Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...