Threat actors behind a large-scale phishing campaign stole passwords, hijacked a user’s sign-in session, and were able to circumvent the authentication process, Microsoft said.
The attackers used stolen credentials and cookies to access affected users’ mailboxes and perform business email compromise (BEC) campaigns.
Microsoft said that the phishing campaign that used adversary-in-the-middle (AiTM) sites attempted to target over 10,000 organizations since September 2021.
“These runs appear to be linked together and target Office 365 users by spoofing the Office online authentication page.”
In an AiTM phishing campaign, a threat actor attempts to obtain a user’s session cookie –proof for the web server that the user has been authenticated – so they can skip the whole authentication process and act on the user’s behalf.
“The attacker deploys a web server that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around. This way, the phishing site is visually identical to the original website. The attacker also doesn’t need to craft their own phishing site like how it’s done in conventional phishing campaigns. The URL is the only visible difference between the phishing site and the actual one,” Microsoft explained.
Once the attacker intercepts the credentials and gets authenticated on the user’s behalf, they can perform follow-on activities, such as payment fraud, from within the organization.
The payment fraud was committed manually. The attacker accessed finance-related emails every few hours and deleted the original phishing email from the compromised inbox to hide their traces.
What is more, to stay off the radar, the attacker created an Inbox rule with the following logic to hide any future replies from the fraud target: “For every incoming email where the sender address contains [domain name of the fraud target], move the mail to ‘Archive’ folder and mark it as read.”
“Right after the rule was set, the attacker proceeded to reply to ongoing email threads related to payments and invoices between the target and employees from other organizations, as indicated in the created Inbox rule. The attacker then deleted their replies from the compromised account’s Sent Items and Deleted Items folders,” Microsoft said.
More from Cybernews:
Subscribe to our newsletter