Microsoft Details Large-Scale Phishing Campaign

Users have been alerted by Microsoft about a widespread phishing attempt that has been targeting over 10,000 firms to carry out a follow-up business email breach (BEC).

To carry out the campaign, the hackers have been employing adversary-in-the-middle (AiTM) phishing websites to collect user information and hijacking sign-in sessions to get around authentication, even when multifactor authentication (MFA) is set.

In order to intercept the user’s login information and session cookie, which allows the user to maintain site authentication, the attackers employ the AiTM phishing technique to place a proxy web server between the user and the website they are trying to sign in to.

Read More

To interrupt the authentication process and obtain the intended sensitive information, the phishing page uses two separate TLS sessions, one with the user and the other with the site the user is attempting to access.

Even if the target’s MFA is enabled, the attacker can bypass the authentication procedure once they have the session cookie, according to Microsoft.

Since September 2021, hacks that fake the Office online authentication page has attacked Office 365 customers at over 10,000 companies.

In one attack, the threat actor sent emails with an HTML file attachment that falsely stated the addressee had a voicemail to several employees at various firms.

As soon as the HTML file was viewed, a phony download progress bar would appear in the user’s browser and the page would load.

In order to improve the social engineering lure and prevent anti-phishing solutions from accessing the website, the victim was instead forwarded to a phishing site where the recipient’s email address was automatically filled out in the sign-in box.

The target organization’s Azure Active Directory (Azure AD) sign-in page was proxied by the web server and, when necessary, including the logo of the target company.

“The target was sent to the official website once they provided their credentials and were authorized. The attacker, however, secretly obtained the aforementioned credentials and obtained authentication on the user’s behalf. As a result, the attacker was able to carry out further operations—in this case, payment fraud—from within the company, according to Microsoft.

Activities involving subsequent payment fraud often began five minutes following the theft of credentials. The attackers accessed Outlook online using the stolen session cookie (

Days after the initial penetration, the adversary would access emails and file attachments relating to money and look for email threads that would provide them the opportunity to commit BEC fraud. Additionally, they removed the victim’s original phishing email from their inbox.

“These actions indicate that the attacker made an effort to manually carry out payment fraud. They carried out the aforementioned actions while utilizing the hacked account’s stolen session cookie, which they did via using Outlook Web Access (OWA) on a Chrome browser, according to Microsoft.

To keep the mailbox owner from becoming aware of the fraudulent behavior, the threat actor would build a rule to send emails from the BEC scam target to the archive folder after finding an email thread that was pertinent to their operations.

The adversary then added a comment to a discussion thread about payments before periodically checking for responses from the receiver. Attackers sometimes kept in touch with their target for days at a time.

“On one occasion, the attacker used the same hacked mailbox to carry out several simultaneous fraud attempts. The attacker changed the Inbox rule they made to add the organization domains of new targets each time they discovered a new fraud target, according to Microsoft.

This is all about Microsoft Details Large-Scale Phishing Campaign, for more informative content visit

About Mark B

Hey Folks! This is Mark and i work as a Content Writer for Techballad. I am flexible to work on different niches. I've got s 3 years experience of Content writing and i aspire to make my future in the same.
View all posts by Mark B →