Phishing is the most frequently used break-in technique and an attack vector malicious actors have used for years. The latest report by the Microsoft 365 Defender Threat Intelligence Team warns of a new and powerful phishing campaign that targets employees’ bring-your-own-device(s) (BYODs). The attackers register their own devices in corporate networks and gradually make their way into internal and external corporate networks. In this phishing scam, the adversaries target the unmanaged devices within organizations to compromise networks and evade detection by taking advantage of the absence of security measures like multi-factor authentication (MFA) within organizations.
What is the Attack Vector?
On 26th January 2022, Microsoft released a blog post informing users of a recently discovered multi-phase phishing campaign targeting its vast user base. The attack vector has reportedly affected over 8,500 email accounts so far, and Microsoft warns that attackers take a furious approach to authenticating their own devices within organizational networks. The attack unfolds in two phases. The first phase assimilates attacker-operated devices within corporate networks. The second phase connects attackers’ devices to the victim’s Azure Active Directory to send lateral phishing messages to all linked email accounts within and outside the company network.
This phishing campaign stands out because of three primary aspects:
- BYOD break-in: Attackers take advantage of the unmanaged devices in corporate networks that have increased in recent years because of the work-from-home and BYOD culture.
- Inbox rule: The next thing an attacker did after compromising a device or using stolen credentials to authenticate their device was to connect with Exchange Online PowerShell. Attackers could then create an inbox rule in the compromised email accounts, which auto-deletes particular messages from the victim’s inbox not to arouse any suspicions. The deleted messages ranged from IT notification emails to non-delivery reports and keyword-specific emails.
- Absence of MFA: The Microsoft report states that organizations with MFA enabled could detect the attack vector and prevent it from propagating.
Microsoft notes that a combination of all three steps – from the compromise of unmanaged devices to creating an attacker-approved inbox rule to the absence of MFA, leads to a successful phishing campaign and its propagation.
How Does the Attack Take Place?
The attack happens in two parts or phases. The first phase involves stealing credentials from organizations located in Singapore, Australia, Thailand, and Indonesia. These stolen credentials were then used to compromise accounts within and beyond the organizations through lateral phishing and outbound spam. Here is a detailed description of both these phases:
In this phase, victim’s first receive a legitimate-looking DocuSign-branded phishing email. For this purpose, the attackers reportedly used a set of phishing domains registered under the .xyz top-level domain. To render credibility to the whole scam, adversaries generated unique emails (with the victim’s email ID encrypted in the query parameter of the URL) for each user. Clicking on the link would lead users to a spoofed Microsoft Office 365 login page with victims’ primary details prefilled (like the original 365 login page) that only required their passwords to be entered.
Once a victim shared their details on this fake Office 365 login page, adversaries used these credentials to connect with Exchange Online PowerShell. Using this remote PowerShell connection, the attackers implemented the inbox rule (discussed above), which blocked Microsoft’s in-built email security measures from notifying the victim of suspicious activities.
Since attackers now had access to the account credentials of company employees, it was easy for them to enter the network and spread the attack vector further, and the absence of MFA aided this. The adversaries used the lack of MFA to their benefit and joined a device’s Azure Active Directory (Azure AD). They first installed Outlook on their own Windows 10 devices and then connected it to the victim organization’s Azure AD. This becomes a crucial juncture as the attackers’ further entry into the network depends on whether the Azure AD MFA policy is active. An active Azure AD MFA policy can detect the attack and stop propagation.
All accounts without MFA were used to send phishing messages to more than 8,500 users inside and outside the compromised company’s network. The attackers used a SharePoint invitation as a subject to convince recipients of the authenticity of the shared file – “Payment.pdf.”
Who is Vulnerable?
The unique phishing campaign identified by Microsoft affects primarily those who have not enabled multi-factor authentication (MFA). MFA has time and again been referred to as one of the simplest and most effective security solutions. In this case, it prevented attackers from using stolen credentials to access devices and networks. The attack progressed for all organizations which had not enabled MFA. Microsoft remarked that having MFA enabled on new devices or for Office 365 applications helped disrupt the second phase of the phishing campaign.
How to Defend Against the Phishing Campaign – Do’s and Don’ts
In times when phishing attacks randomly target almost anyone and everyone, it is essential to know how to stop phishing emails. Considering this latest phishing campaign, Microsoft forwarded a few do’s and don’ts for users:
- Microsoft recommends using Microsoft 365 Defender, which ensures email phishing protection across domains. Microsoft Defender’s cross-domain visibility aids in the identification of the current phishing campaign involving inbox rules, unauthorized device registration and attack propagation.
- Microsoft recommends that users implement its new Conditional Access control, which mandates MFA to register devices. Organizations must switch to multi-factor authentication, especially when connecting devices to Azure AD.
- Organizations should not use basic authentication (which relies only on the username and password), a highly vulnerable security measure.
- Microsoft 365 global admins should not allow end-users to connect to Exchange Online PowerShell. They can do so by using a list of specific users.
The latest phishing campaign that Microsoft reported goes beyond traditional phishing emails, which pose emergencies before recipients or send them malicious attachments and URLs. It was a multi-layered and well-thought-out attack scheme that exploited a very common technicality – the BYOD culture in organizations. Adversaries used it along with inbox rule creation to attack an organization and its associates. Apart from highlighting the never-ending creative spirit of the adversaries, this incident also emphasizes the significance of multi-factor authentication as an anti-phishing solution.