Microsoft has revealed the details of a multi-phase, large-scale phishing effort that leverages stolen credentials to register devices on a victim’s network in order to spread spam emails and expand the infection pool.
The attacks were carried out using accounts that did not use multi-factor authentication (MFA), allowing the attacker to take advantage of the target’s bring-your-own-device (BYOD) policy and introduce their own rogue devices using the stolen credentials.
The attacks were carried out in two stages. At a technical study released this week, the Microsoft 365 Defender Threat Intelligence Team stated, “The first campaign phase targeted stealing credentials in target firms located mostly in Australia, Singapore, Indonesia, and Thailand.”
“In the second phase, attackers utilised stolen credentials to expand their footing within the company via lateral phishing as well as beyond the network via outbound spam,” says the report.
Users were sent a DocuSign-branded phishing bait with a link that, when clicked, took them to a rogue website impersonating the Office 365 login page, allowing the attackers to steal their credentials.
The hack of over 100 mailboxes across several firms was made possible by the credential theft, which also allowed the attackers to establish an inbox rule to avoid detection. The malicious messages were subsequently propagated by a second attack wave that took advantage of the lack of MFA protections by enrolling an unmanaged Windows device in the company’s Azure Active Directory (AD) instance and exploiting the lack of MFA protections.
The unique technique made it possible for the attackers to expand their footing, secretly disseminate the attack, and move laterally throughout the targeted network by connecting the attacker-controlled device to the network.
“To launch the second wave,” Microsoft added, “the attackers used the compromised mailbox of the targeted user to send malicious messages to over 8,500 users both inside and outside the victim company.” “In an attempt to persuade recipients that the ‘Payment.pdf’ file being shared was authentic, the emails employed a SharePoint sharing invitation enticement as the message body.”
The development approaches as email-based social engineering attacks remain the most common way for attackers to acquire initial access to a company’s network and drop malware on infected workstations.
Earlier this month, Netskope Threat Labs revealed a malicious campaign ascribed to the OceanLotus group that used non-standard file types such web archive file (.MHT) attachments to spread information-stealing malware, bypassing signature-based detections.
Implementing best practises such as strong credential hygiene and network segmentation, in addition to turning on MFA, can “raise the ‘cost’ to attackers seeking to spread via the network.”
“These recommended practises can limit an attacker’s ability to move laterally and compromise assets after an initial intrusion,” Microsoft stated. “They should be supplemented with advanced security solutions that give visibility across domains and coordinate threat data among protection components.”
