Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victim’s network to further propagate spam emails and widen the infection pool.
The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target’s bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials.
The attacks took place in two stages. “The first campaign phase involved stealing credentials in target organizations located predominantly in Australia, Singapore, Indonesia, and Thailand,” Microsoft 365 Defender Threat Intelligence Team said in a technical report published this week.
“Stolen credentials were then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organization via lateral phishing as well as beyond the network via outbound spam.”
The campaign started with users receiving a DocuSign-branded phishing lure containing a link, which, upon clicking, redirected the recipient to a rogue website masquerading as the login page for Office 365 to steal the credentials.
The credential theft not only resulted in the compromise of over 100 mailboxes across different companies, but also enabled the attackers to implement an inbox rule to thwart detection. This was then followed by a second attack wave that abused the lack of MFA protections to enroll an unmanaged Windows device to the company’s Azure Active Directory (AD) instance and spread the malicious messages.
By connecting the attacker-controlled device to the network, the novel technique made it viable to expand the attackers’ foothold, covertly proliferate the attack, and move laterally throughout the targeted network.
“To launch the second wave, the attackers leveraged the targeted user’s compromised mailbox to send malicious messages to over 8,500 users, both in and outside of the victim organization,” Microsoft said. “The emails used a SharePoint sharing invitation lure as the message body in an attempt to convince recipients that the ‘Payment.pdf’ file being shared was legitimate.”
The development comes as email-based social engineering attacks continue to be the most dominant means for attacking enterprises to gain initial entry and drop malware on compromised systems.
Earlier this month, Netskope Threat Labs disclosed a malicious campaign attributed to the OceanLotus group that bypassed signature-based detections by using non-standard file types such as web archive file (.MHT) attachments to deploy information-stealing malware.
In addition to turning on MFA, implementing best practices such as good credential hygiene and network segmentation can “increase the ‘cost’ to attackers trying to propagate through the network.”
“These best practices can limit an attacker’s ability to move laterally and compromise assets after initial intrusion and should be complemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components,” Microsoft added.