Banking and financial services organizations are the targets of a new multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attack, Microsoft has revealed.
“The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations,” the tech giant disclosed in a Thursday report.
Microsoft, which is tracking the cluster under its emerging moniker Storm-1167, called out the group’s use of indirect proxy to pull off the attack.
This enabled the attackers to flexibly tailor the phishing pages to their targets and carry out session cookie theft, underscoring the continued sophistication of AitM attacks.
The modus operandi is unlike other AitM campaigns where the decoy pages act as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims.
“The attacker presented targets with a website that mimicked the sign-in page of the targeted application, as in traditional phishing attacks, hosted on a cloud service,” Microsoft said.
“The said sign-in page contained resources loaded from an attacker-controlled server, which initiated an authentication session with the authentication provider of the target application using the victim’s credentials.”
The attack chains commence with a phishing email that points to a link, which, when clicked, redirects a victim into visiting a spoofed Microsoft sign-in page and entering their credentials and TOTPs.
The harvested passwords and session cookies are then used to impersonate the user and gain unauthorized access to the email inbox by means of a replay attack. The access is then abused to get hold of sensitive emails and orchestrate a BEC attack.
What’s more, a new SMS-based two-factor authentication method is added to the target account in order to sign in using the pilfered credentials sans attracting any attention.
In the incident analyzed by Microsoft, the attacker is said to have initiated a mass spam campaign, sending more than 16,000 emails to the compromised user’s contacts, both within and outside of the organization, as well as distribution lists.
The adversary has also been observed taking steps to minimize detection and establish persistence by responding to incoming emails and subsequently taking steps to delete them from the mailbox.
Ultimately, the recipients of the phishing emails are targeted by a second AitM attack to steal their credentials and trigger yet another phishing campaign from the email inbox of one of the users whose account was hacked as a result of the AitM attack.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
Join the Session
“This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud,” the company added.
The development comes less than a month after Microsoft warned of a surge in BEC attacks and the evolving tactics employed by cybercriminals, including the use of platforms, like BulletProftLink, for creating industrial-scale malicious mail campaigns.
Another tactic entails the use of residential internet protocol (IP) addresses to make attack campaigns appear locally generated, the tech giant said.
“BEC threat actors then purchase IP addresses from residential IP services matching the victim’s location creating residential IP proxies which empower cybercriminals to mask their origin,” Redmond explained.
“Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent ‘impossible travel’ flags, and open a gateway to conduct further attacks.”
