Microsoft on Tuesday disclosed that a large-scale phishing campaign targeted over 10,000 organizations since September 2021 by hijacking Office 365’s authentication process even on accounts secured with multi-factor authentication (MFA).
“The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets,” the company’s cybersecurity teams reported.
The intrusions entailed setting up adversary-in-the-middle (AitM) phishing sites, wherein the adversary deploys a proxy server between a potential victim and the targeted website so that recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA information.
“The phishing page has two different Transport Layer Security (TLS) sessions — one with the target and another with the actual website the target wants to access,” the company explained.
These sessions mean that the phishing page practically functions as an AitM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies.”
Armed with this information, the attackers injected the cookies into their own browsers to circumvent the authentication process, even in scenarios where the victim had enabled MFA protections.
The phishing campaign spotted by Microsoft was orchestrated to single out Office 365 users by spoofing the Office online authentication page, with the actors using the Evilginx2 phishing kit for carrying out the AitM attacks.
This involved sending email messages containing voice message-themed lures that were marked with high importance, tricking the recipients into opening malware-laced HTML attachments that redirected to the credential-stealing landing pages.
To complete the ruse, the users were eventually redirected to the legitimate office[.]com website post-authentication, but not before the attackers leveraged the aforementioned AitM approach to siphon the session cookies and obtain control over the compromised account.
The attacks didn’t end there, for the threat actors abused their mailbox access to perform payment fraud by using a technique called email thread hijacking to dupe parties on the other end of the conversation to illicitly wire funds to accounts under their control.
To further mask their communications with the fraud target, the threat actors also created mailbox rules that automatically moved every incoming email containing the relevant domain name to the “Archive” folder and marked it as “read.”