Microsoft Exposes Massive Phishing Campaign

Researchers from Microsoft have discovered a massive phishing campaign that targeted thousands of businesses and used a straightforward but highly efficient technique to steal users’ passwords and session cookies in order to take control of their Office 365 accounts and attempt to run business email compromise schemes from those accounts.

The effort started in September 2021, and over the course of the following several months, the unidentified attackers behind it attempted to target as many as 10,000 organizations. Typically, the phishing emails came with an HTML attachment that looked like a voice memo. When a victim clicked on the attachment, their browser was forwarded to a site that served as a redirector before landing on a bogus Microsoft login page. The pages were built by the attackers using the well-known Evilginx2 phishing toolkit. The phishing site actually routed victims to the Office 365 website of their actual organization once they submitted their credentials.

Read More

However, the attackers’ website was serving as a proxy between the victim and the real site during that authentication procedure, collecting the password and session cookie. When the attacker uses the victim’s credentials to access their account later, the cookie will be recognized as having authenticated using MFA because the phishing site proxied the request for further authentication if MFA was enabled on the victim’s account. As a result, the attacker can avoid MFA on accounts that have been hacked. This method allows the attacker to go around an MFA system without exploiting any flaws in it.

Two separate Transport Layer Security (TLS) sessions—one with the target and the other with the real website the target wishes to access—are established on the phishing page. Because of these sessions, the phishing page effectively acts as an AiTM agent, intercepting the entire authentication process and obtaining vital information from HTTP requests, including passwords and, more significantly, session cookies. Even if the target’s MFA is enabled, once the attacker has the session cookie, they can inject it into their browser to skip the authentication process, according to the Microsoft investigation.

The organization’s Azure Active Directory (Azure AD) sign-in page, generally, was proxied by the phishing site. The landing page of the phishing site had the same branding components if the company had set up Azure AD to include their branding.

Although phishing operations that mimic legitimate login windows are very widespread, many of them are simple to spot and steer clear of. It is more challenging for victims to understand what is going on when a proxy is used to transfer requests and responses between the victim and the target service because all malicious activity is taking place in the background and out of sight. Things only got worse after the attackers gained access to a victim’s inbox. They started using hacked accounts as the foundation for payment fraud operations, a strategy that has recently gained popularity among several cybercrime organizations. This strategy makes harmful messages appear legal by replying to email conversations that already exist discussing payments.

“In the days that followed the cookie theft, the attacker periodically browsed emails and file attachments with a financial theme. Additionally, they looked for ongoing email conversations where payment fraud would be possible. In order to remove evidence of their initial access, the attacker also erased the original phishing email from the compromised account’s Inbox folder, according to Microsoft.

“These actions indicate that the attacker made an effort to manually carry out payment fraud. They carried out the aforementioned actions while utilizing the hacked account’s stolen session cookie by using Outlook Web Access (OWA) on a Chrome browser.

To hide their tracks, the attackers took a number of steps, such as setting up rules to move all emails from a payment fraud target’s domain to the archive folder and label them as read, removing pertinent emails from the sent folder, and deleting the targets’ communications.

“On one occasion, the attacker used the same hacked mailbox to carry out several simultaneous fraud attempts. The attacker changed the Inbox rule they developed to add the organization domains of new targets each time they discovered a new fraud target, according to Microsoft.

This is all about Microsoft Exposes Massive Phishing Campaign, for more informative content visit