Microsoft has warned users about a large-scale phishing campaign that has been targeting over 10,000 organizations to perform follow-on business email compromise (BEC).
As part of the campaign, the attackers have been using adversary-in-the-middle (AiTM) phishing sites to steal credentials, and have been hijacking sign-in sessions to bypass authentication even with multifactor authentication (MFA) enabled.
AiTM is a phishing technique in which the attackers deploy a proxy webserver between the user and the site they are trying to sign in to, to intercept the user’s credentials and their session cookie, which enables the user to remain authenticated to the site.
The phishing page uses two different TLS sessions – one with the user and the other with the site the user tries to access – to intercept the authentication process and extract the targeted sensitive information.
“Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target’s MFA is enabled,” Microsoft notes.
Since September 2021, Office 365 users at over 10,000 organizations have been targeted in attacks that have been spoofing the Office online authentication page.
In one attack, the threat actor targeted multiple employees at different organizations with emails that carried an HTML file attachment, and which claimed that the recipient had a voice message.
Once the HTML file was opened, it would load in the user’s browser and display a fake download progress bar.
Instead, the victim was redirected to a phishing site, where the recipient’s email address was automatically filled out in the sign-in field, a technique meant to enhance the social engineering lure and to prevent anti-phishing solutions from accessing the page.
The webserver proxied the target organization’s Azure Active Directory (Azure AD) sign-in page, which also contained the organization’s logo where necessary.
“Once the target entered their credentials and got authenticated, they were redirected to the legitimate office.com page. However, in the background, the attacker intercepted the said credentials and got authenticated on the user’s behalf. This allowed the attacker to perform follow-on activities—in this case, payment fraud—from within the organization,” Microsoft explains.
Follow-on payment fraud activities typically started roughly five minutes after the credential theft. The attackers used the stolen session cookie to log in to Outlook online (outlook.office.com).
In the days following the initial compromise, the adversary would access finance-related emails and file attachments and search for email threads that would allow them to perform BEC fraud. They also deleted the original phishing email from the victim’s inbox.
“These activities suggest the attacker attempted to commit payment fraud manually. They also did this in the cloud—they used Outlook Web Access (OWA) on a Chrome browser and performed the above mentioned activities while using the compromised account’s stolen session cookie,” Microsoft says.
After identifying an email thread relevant for their activities, the threat actor would create a rule to have messages from the BEC scam target sent to the archive folder, to prevent the mailbox owner from noticing the fraudulent activity.
The adversary then replied to an ongoing thread related to payments and then logged in every few hours, to check for replies from the recipient. In some cases, the attackers would communicate with the intended victim for days.
“On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets’ organization domains,” Microsoft explains.
Related: FBI Warns of ‘Reverse’ Instant Payments Phishing Schemes
Related: Phishers Add Chatbot to the Phishing Lure
Related: APT Group Using Voice Changing Software in Spear-Phishing Campaign