Last Updated on 28/01/2022 by Nidhi Khandelwal
Microsoft has revealed the details of a large-scale, multi-phase phishing effort that leverages stolen credentials to register devices on a victim’s network, allowing spam emails to spread further and the infection pool to grow.
The attacks were carried out using accounts that were not secured with multi-factor authentication (MFA), allowing the adversary to take advantage of the target’s bring-your-own-device (BYOD) policy and introduce their own rogue devices using the stolen credentials, according to the tech giant.
Users were sent a DocuSign-branded phishing bait with a link that, when clicked, took them to a rogue website impersonating the Office 365 login page, allowing the attackers to steal their credentials.
The hack of over 100 mailboxes across several firms was made possible by the credential theft, which also allowed the attackers to establish an inbox rule to avoid detection. The malicious messages were subsequently propagated by a second attack wave that took advantage of the lack of MFA protections by enrolling an unmanaged Windows device in the company’s Azure Active Directory (AD) instance and exploiting the lack of MFA protections.
The unique technique made it possible for the attackers to expand their footing, secretly disseminate the attack, and move laterally throughout the targeted network by connecting the attacker-controlled device to the network.
The development comes as email-based social engineering attacks remain the most common way for attackers to acquire initial access to a company’s network and install malware on compromised systems.
Earlier this month, Netskope Threat Labs revealed a malicious campaign ascribed to the OceanLotus group that used non-standard file types such web archive file (.MHT) attachments to spread information-stealing malware, bypassing signature-based detections.