Listen to this blog post below
Microsoft’s Defender Experts recently discovered a sophisticated multi-stage AiTM (adversary-in-the-middle) phishing and BEC (business email compromise) attack targeting numerous banking and financial services organizations. Read on to learn more about the latest email security threat.
Adversary-in-the-middle is an attack type where malicious actors intercept authentication between victims and a genuine authentication service to compromise identities or perform other malicious activities.
The adversaries position themselves between the service and the user to intercept MFA (Multi-Factor Authentication) and capture the session cookie. Afterward, they can replay the session and use the stolen session cookie to impersonate the user. Thus, they can access the impacted user’s applications and resources to launch business email attacks and perform other nefarious activities.
The recent attack, which the Microsoft experts tracked as Storm-1167, achieved initial access by targeting a trusted vendor. Then the threat actors used an indirect proxy for distributing phishing pages to the targets, a report by Microsoft revealed.
The phishing emails that the perpetrators sent contained a link that redirected victims to a fake Microsoft sign-in page, and when the users entered their personal information, they used it to launch further replay attacks.
How Experts At Microsoft Detected And Contained The Attack?
Since the Microsoft experts are actively researching the latest BEC and AiTM techniques, they designed advanced hunting detections for Microsoft’s Defender Experts service. They combined the program’s detections with their analyses of abnormal user behavior and emails and detected the attack in its early stages.
They not only detected but also analyzed the complete attack chain and identified and quickly reached out to the impacted customers. Furthermore, they continuously monitored the attack for additional compromised accounts or phishing pattern changes because the attack unfolded into a massive campaign later.
How The Email Attack Started?
The malicious actors planned a sophisticated phishing campaign against the employee of an organization, a trusted vendor for many businesses. They used a URL that led the victims to Canva, an online graphic design platform that allows users to create visual posters, presentations, and other graphics. The adversaries had cleverly designed the Canva webpage that looked like a OneDrive document preview. Once clicked, the image took victims to a spoofed Microsoft sign-in page to authenticate.
After compromising the vendor’s email account, the threat actors cleverly extracted email addresses from their email threads and sent over 16,000 similar Canva emails. The Microsoft researchers mention in the report that the adversaries read and responded to the emails from the recipients who doubted the phishing email to make them believe it was a genuine message. They then removed the emails and responses from the inbox.
Image sourced from gograyleaf.com
What Can Be The Consequences Of Such Attacks?
We can see tremendous growth in such multi-stage attacks of AitM phishing and BEC combination, like software supply chain attacks. According to the latest report by the Internet Crime Complaint Center (IC3) of the FBI, losses from BEC scams rose by 17% from December 2021 to December 2022. Such BEC attacks aim to trick recipients into initiating wire transfers, transferring cryptocurrency, or sharing private personal and financial information. The IC3 has recorded 277,918 BEC incidents internationally In the past decade, with over $50 billion loss.
As per Microsoft, such email attacks show how complex BEC and AiTM threats are, targeting genuine relationships between entities like vendors, partner businesses, and suppliers with financial fraud on the mind.
Ways To Protect Against Such Multi-Stage Attacks
Experts point out that while such AiTM phishing attempts try to target MFA, implementation of MFA remains essential in stopping a wide variety of threats. Following are some ways you can protect your organization against such email security threats:
- Foolproof authentication: The general measure for any identity compromise is resetting the password for the compromised user. However, since malicious actors compromised the sign-in session in the above attack, a password reset was not a practical solution. Even if the organization had reset the compromised user’s password, the attackers could set up persistence methods to sign in by tampering with MFA. Thus, organizations must work with their identity provider and ensure they implement security controls like MFA. Microsoft customers can use the Microsoft Authenticator, certificate-based authentication, and FIDO2 security keys.
- Advanced anti-phishing solutions: Businesses must invest in advanced anti-phishing solutions that scan and monitor visited websites and incoming emails. For example, they can use web browsers that automatically identify and block malicious websites, including the ones that threaten actors used in this phishing campaign, and solutions that can detect and block malicious links, emails, and files.
- Conditional access policies: Organizations can implement conditional access policies for evaluating sign-in requests using other user or device identity pointers like IP location or device status.
- Continuous monitoring: Businesses must continuously monitor anomalous or suspicious activities. Security teams can look for suspicious sign-in attempts by watching user location, ISP, the usage of anonymizer services, etc.
This Storm-1167 BEC incident highlights the growing complexity of businesses’ email attacks and the comprehensive defenses they need. Furthermore, it underscores why organizations require proactive threat hunting to discover new tactics, techniques, and procedures (TTPs) to remediate these threats.
As done by Microsoft experts, the continuous evolution of these threats, like the use of indirect proxy by hackers in this campaign, emphasizes that organizations must remain vigilant and proactive concerning their cybersecurity measures.