Microsoft Details Phishing Campaign Targeting Over 10,000 Organizations

pcmag.com:

Microsoft has identified a large-scale phishing campaign that targeted over 10,000 organizations since Sept. 2021 in a bid to steal large sums of money.

As Ars Technica reports(Opens in a new window), the campaign uses an adversary-in-the-middle (AiTM) technique to insert a proxy site between the account of an employee and the work server they are trying to connect to. The attacker-controlled site is accessed via an HTML attachment in a phishing email.

When the user unknowingly enters their credentials into the proxy site, it relays them to the real work server, completes the user authentication for Outlook online, then grabs the session cookie to ensure the authentication remains active and they can access the employee's email account.

According to a security blog post(Opens in a new window) by the Microsoft 365 Defender Research Team, at least some of the targeted organization are using multifactor authentication (MFA), but the type of MFA used wasn't good enough to stop the attacker bypassing it and gaining access, "In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account."

Once access was established, the attacker uses inbox rules to hide their activity while searching for as many co-workers and business partners to make contact with. Emails are then sent asking for large sums of money to be wired to them under the guise of a legitimate and convincing payment demand (known as a business email compromise (BEC) campaign). As the employees think they are operating within a secure environment and receiving emails from known associates, the scam is very effective, especially when