Microsoft has warned organizations in the United States about a sophisticated phishing campaign that uses a “code of conduct review” theme to lure victims to a malicious website.
The tech giant observed more than 35,000 attempts between April 14 and 16. The malicious emails were received by users across roughly 13,000 organizations in 26 countries, but 92% of the targets were in the US.
Many of the messages were received by users in the healthcare and life sciences, financial services, professional services, and technology and software sectors.
The phishing emails purport to be internal regulatory or compliance messages, with display names such as ‘Team Conduct Report’, ‘Workforce Communications’, and ‘Internal Regulatory COC’, and subject lines such as ‘Reminder: employer opened a non-compliance case log’ and ‘Internal case log issued under conduct policy’.
“Analysis of the sending infrastructure indicated that the campaign emails were sent using a legitimate email delivery service, likely originating from a cloud-hosted Windows virtual machine. The messages were sent from multiple sender addresses using domains that are likely attacker-controlled,” Microsoft explained.
The recipient is instructed to open a personalized attachment to review case materials. The attachments are PDF documents titled ‘Awareness Case Log File’ or ‘Disciplinary Action’ that direct the user to click the ‘Review Case Materials’ link within the document.
When the link is clicked, the user is taken to a Cloudflare CAPTCHA page, which Microsoft believes serves as a gating mechanism against automated analysis. The victim is then directed to a page stating that the documents need to be reviewed and signed.
The victim is then taken to a page where they are instructed to enter their email address, followed by a second CAPTCHA page. The user is then told that the verification has been successfully completed and is asked to sign in to their Microsoft account.
This last step of the attack involves adversary-in-the-middle (AitM) phishing, in which the attacker proxies the session to capture authentication tokens and gain immediate access to the targeted account.
“Unlike traditional credential harvesting, AiTM attacks intercept authentication traffic in real time, bypassing non-phishing-resistant multifactor authentication (MFA),” Microsoft noted.
Enterprises at risk of being targeted in this and similar phishing campaigns have been provided with recommendations for mitigating attacks, as well as threat-hunting queries and indicators of compromise (IoCs).
Related: New Bluekit Phishing Kit Features AI Assistant
Related: Robinhood Vulnerability Exploited for Phishing Attacks
Related: Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks
