Jump to content
  • Beware: Microsoft email users, even with MFA on, are unsafe from this new phishing attack

    Karlston

    • 437 views
    • 3 minutes
     Share


    • 437 views
    • 3 minutes

    Microsoft email service users need to be careful out there. That's because Zscaler, a cybersecurity research firm, has discovered a new phishing ongoing campaign targeting Microsoft email users. According to its findings, corporate users are under attack and the campaign is being run using adversary-in-the-middle (AiTM) technique to bypass multi-factor authentication (MFA).

     

    The AiTM technique, as the name suggests, places an adversary in the middle to intercept the authentication process between the client and the server to steal credentials during the exchange. This means the MFA information is also stolen. Basically the adversary in the middle acts like the server to the real client and the client to the real server. The image below, ironically from Microsoft itself, shows how AiTM works:

     

    1659558883_aitm_attack_mechanism_(source

     

    The analysis of this phishing campaign was done by Zcaler's ThreatLabz and it has summarized the attack into the following key points below:

     

    Key points

     

    • Corporate users of Microsoft's email services are the main targets of this large-scale phishing campaign.
    • All these phishing attacks begin with an email sent to the victim with a malicious link.
    • The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor.
    • In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign.
    • Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the US, UK, New Zealand and Australia are targeted.
    • A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks.
    • Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems.
    • Numerous URL redirection methods are used to evade corporate email URL analysis solutions.
    • Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign.

     

    Zscaler also notes some attacker-registered domains which were typo-squatted versions of legitimate Federal Credit Unions in the US:

     

    Attacker-registered domain Legit Federal Credit Union domain
    crossvalleyfcv[.]org crossvalleyfcu[.]org
    triboro-fcv[.]org triboro-fcu[.]org

    cityfederalcv[.]com

     

    cityfederalcu[.]com

     

    portconnfcuu[.]com portconnfcu[.]com
    oufcv[.]com oufcu[.]com

     

    You can find more technical details in the official blog post on Zscaler's website here.

     

     

    Beware: Microsoft email users, even with MFA on, are unsafe from this new phishing attack


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...