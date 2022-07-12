



Microsoft researchers have discovered large phishing campaigns targeting thousands of organizations, using simple yet highly effective methods to steal user passwords and session cookies, and Office 365 accounts. I hijacked and tried to execute a business email infringement scheme from those accounts.

The campaign began in September 2021 and the unnamed attackers behind it attempted to target as many as 10,000 organizations in the coming months. Phishing emails usually contained HTML attachments disguised as voice memos. When the victim clicked on the attachment, the browser was sent to the redirector site, eventually leading to a fake Microsoft login site. The attacker created the page using the well-known Evilgin x2 phishing toolkit. Victims who entered their credentials on a phishing site were actually redirected to a legitimate company’s Office 365 site.

However, during the authentication process, the attacker’s site acted as a proxy between the victim and the legitimate site, stealing passwords and session cookies. If MFA is enabled on the victim’s account, the phishing site will also proxy additional authentication requests, so if an attacker later uses their credentials to access the victim’s account, the cookie will be on the MFA. Marked as authenticated. This allows an attacker to bypass MFA with a compromised account. This technique does not exploit a vulnerability in the MFA system, but an attacker can avoid it.

The phishing page has two different Transport Layer Security (TLS) sessions. One is a session with the target and the other is a session with the actual website that the target wants to visit. These sessions mean that the phishing page effectively acts as an AiTM agent, intercepting the entire authentication process and extracting valuable data from HTTP requests such as passwords and more important session cookies. According to Microsoft analysis, an attacker who gets a session cookie can insert it into a browser and skip the authentication process, even if the target MFA is enabled.

The phishing site proxied your organization’s Azure Active Directory (Azure AD) sign-in page (typically login.microsoftonline.com). If your organization configured Azure AD to include the brand, the landing page of the phishing site would also contain the same brand element.

Phishing campaigns that spoof legitimate login screens are very common, but many of them are relatively easy to identify and avoid. When using a proxy to forward a request and response between the victim and the target service, the victim understands what is happening because all the malicious actions are happening in the background. Will be more difficult. And when the attacker gained access to the victim’s inbox, things got worse. They started using compromised accounts as the basis for fraudulent payment operations. This is a tactic that has become a favorite of some cybercrime groups in the last few years. Part of this tactic usually involves replying to an existing email thread regarding payments. This is a way to make a malicious message look legitimate.

The day after the cookie theft, the attackers accessed financial emails and attachments every few hours. They also searched for ongoing email threads where payment scams are feasible. In addition, Microsoft said the attacker removed the original phishing email sent to hide traces of initial access from the inbox folder of the compromised account.

These activities suggest that the attacker manually attempted to commit a payment fraud. They also did this in the cloud, using Outlook Web Access (OWA) in their Chrome browser and performing the above activities while using the stolen session cookie of the compromised account.

Attackers could create rules to send all emails from the target domain of payment fraud to archive folders and mark them as read, remove relevant emails from the sent folders, remove targeted messages, etc. We have taken some steps to cover the tracking.

At one point, an attacker attempted multiple scams at the same time from the same compromised mailbox. According to Microsoft, each time an attacker found a new scam target, he updated the rules in his inbox to include the organizational domain of these new targets.

