If attackers are able to access an organization, they will launch a second wave of the campaign, which consists of sending more phishing emails to targets outside the organization as well as within.
Target areas
The Microsoft 365 Threat Intelligence Team has been tracking a malware campaign targeting organizations in Australia and Southeast Asia. To get their targets’ information, the attackers sent out phishing emails that looked like they were from DocuSign. When users clicked on the Review Document button, they were taken to a fake login page for Office 365, already pre-filled with their usernames The filter automatically deletes messages containing certain words related to spam, phishing, junk, hacking, and password security, so the legitimate account user will not receive non-delivery reports and IT notification emails they might otherwise have seen. The attackers then installed Microsoft Outlook on their own machine and connected it to the victim organization’s Azure Active Directory, possibly by accepting the prompt to register Outlook when it was first launched. Finally, once the machine became part of the domain and the mail client was configured like any other regular use within the organizations, the phishing emails from the compromised account fake Sharepoint invitations pointing again to a fake Office 365 login page became more persuasive.
How to bypass
The attackers relied on stolen credentials; however, several users had multifactor authentication (MFA) enabled, preventing the theft from occurring. Organizations should enable multifactor authentication for all users and require it when joining devices to Azure AD, as well as consider disabling Exchange Online PowerShell for end users, the team advised. Microsoft also shared threat hunting queries to help organizations check whether their users have been compromised via this campaign and advised that defenders must also revoke active sessions and tokens associated with compromised accounts, delete mailbox rules created by the attackers, and disable and remove malicious devices joined to the Azure AD.
Loopholes to lookout for
Microsoft’s threat intelligence analysts recently flagged a phishing campaign that targeted hundreds of businesses, this one an attempt to trick employees into granting an app named “Upgrade” access to their Office 365 accounts. Attackers can also bypass Office 365 Multi-Factor Authentication by using rogue applications, stealing authorization codes, or otherwise obtaining access tokens rather than their credentials. Have you fallen victim to these attacks by hackers before? Share your experience with us in the comment section below.
Name *
Email *
Commenting as . Not you?
Save information for future comments
Comment
Δ
