Microsoft has revealed the specifics of a large-scale, multi-phase phishing effort that leverages stolen credentials to register devices on a victim’s network, allowing spam emails to spread further and the infection pool to grow. The company revealed that attacks were carried out using unsecured accounts with multi-factor authentication (MFA), allowing the adversary to use the target’s bring-your-own-device (BYOD) policy and introduce their own rogue devices using the stolen credentials.
The attacks were carried out in two parts. “The first campaign phase involved stealing credentials in target organizations located predominantly in Australia, Singapore, Indonesia, and Thailand,” as stated by the Microsoft 365 Defender Threat Intelligence Team. “Stolen credentials were then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organization via lateral phishing as well as beyond the network via outbound spam.”
Users were sent a DocuSign-branded phishing bait with a link that, when clicked, took them to a fraudulent website impersonating the Office 365 login page, allowing the attackers to steal their credentials. The hack of over 100 mailboxes across several firms happened because of the credential theft, allowing attackers to establish an inbox rule to avoid detection. The malicious messages were subsequently propagated by a second attack wave that leveraged the lack of MFA safeguards by enrolling an unmanaged Windows device in the company’s Azure Active Directory (AD) instance and exploiting the lack of MFA protections.
The unique approach allowed the attackers to expand their footing, secretly disseminate the attack, and move laterally throughout the targeted network by linking the attacker-controlled device to the network.
“To launch the second wave, the attackers leveraged the targeted user’s compromised mailbox to send malicious messages to over 8,500 users, both in and outside of the victim organization,” Microsoft stated. In an effort to persuade recipients that the ‘Payment.pdf’ file being shared was authentic, the emails employed a SharePoint sharing invitation bait as the message body.
The development happens as email-based social engineering attacks remain the most common way for attackers to acquire initial access to a company’s network and install malware on compromised devices. Recently, Netskope Threat Labs revealed a malicious campaign ascribed to the OceanLotus group that used non-standard file formats such as web archive file (.MHT) attachments to spread information-stealing malware, bypassing signature-based detections.
In addition to enabling MFA, implementing best practices like strong credential hygiene and network segmentation might raise the ‘cost’ to attackers attempting to spread malware throughout the network. Microsoft explained that these best practices could limit an attacker’s ability to move laterally and compromise assets after an initial intrusion. They should be supplemented with advanced security solutions that provide visibility throughout domains and synchronize threat data across protection components.