Connect with us

Hi, what are you looking for?


Microsoft warns of multi-stage phishing campaign leveraging Azure AD

Microsoft 365 red

Microsoft warns of multi-stage phishing campaign leveraging Azure AD

Microsoft’s threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target’s network and use them to distribute phishing emails.

As the report highlights, the attacks manifested only through accounts that didn’t have multi-factor authentication (MFA) protection, which made them easier to hijack.

The lures used for this purpose are DocuSign-themed emails that urge the recipient to review and sign the attached document.

DocuSign lure sent in the first wave of the attack
DocuSign lure sent in the first wave of the attack
Source: Microsoft

The embedded links take the victim to a phishing URL that imitates the Office 365 login page and pre-fills the victim’s username to for increased credibility.

The recipients of the second wave of emails are employees of the targeted firm and external targets such as contractors, suppliers, partners, etc.

Because these emails come from a trusted workspace, they aren’t flagged by security solutions and carry an intrinsic element of legitimacy that boosts the actors’ chances of success.

Phishing attack chain
Phishing attack chain
Source: Microsoft

A spam filter that wasn’t

Microsoft’s telemetry data indicates that the first phase of the attacks focused mainly on firms located in Australia, Singapore, Indonesia, and Thailand.

The actors attempted to compromise remote working employees, poorly protected managed service points, and other infrastructure that may operate outside strict security policies.

Microsoft’s analysts were able to spot the threat by detecting anomalous creation of inbox rules, which actors did immediately after gaining control of a device part of the corporate network.

Advertisement. Scroll to continue reading.

“Leveraging the Remote PowerShell connection, the attacker implemented an inbox rule via the New-InboxRule cmdlet that deleted certain messages based on keywords in the subject or body of the email message,” – the report details.

“The inbox rule allowed the attackers to avoid arousing the compromised users’ suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user.”

The investigation that followed revealed that over a hundred mailboxes in multiple organizations had been compromised with malicious mailbox rules named “Spam Filter”.

Registering on Azure AD

The actors attempted rogue device registration onto the organization’s Azure AD instance, hoping to enforce policies that would facilitate lateral phishing.

Azure AD triggers an activity timestamp when a device attempts to authenticate, which was the second chance for defenders to discover potentially suspicious registrations.

Suspicious registration event
Suspicious registration event
Source: Microsoft

If the registration goes unnoticed, the actors are allowed to send messages from a recognized and trusted part of the domain using the stolen valid credentials on Outlook.

The second wave of phishing messages was much more voluminous than the first, counting over 8,500 SharePoint-themed emails with a “Payment.pdf” attachment.

This phishing campaign was crafty and moderately successful, but it wouldn’t be nearly as effective if the targeted companies followed one of these practices:

  • All employees had enabled MFA on their Office 365 accounts.
  • Deploy endpoint protection solutions that can detect the creation of inbox rules.
  • Azure AD device registration is closely monitored.
  • Azure AD enrollment requires MFA.
  • Zero trust policies are employed in all parts of the organization’s network.

Source link

Click to comment

Leave a Reply


Online Business Success

A general view of electricity pylons in Mumbai, India, October 13, 2021. — Reuters NEW DELHI: India is facing its worst power crisis in...

Loan And Finance

Business & FinanceGovernmentPolitics 07 May 2022, 2:03 am. 1 minute Reuters exclusively reported that US and Chinese regulatory officials are in talks to settle...

Loan And Finance

Julia Hummel has been named Vice President, Digital Strategy & Business Development, at Warner Music Canada. Hummel will help the label’s artists leverage opportunities...

Online Business Success

By Andrew Schrage, CEO of Money Crashers, helping consumers and small businesses build strong foundations on the path to financial and personal success. getty...

Top Stories

As the fall of Terra (LUNA) and TerraUSD (UST) may have a noticeable short-term impact on the decision-making of both retail and institutional investors,...

Loan And Finance

Business & FinanceDealsEnergy 09 May 2022, 4:49 am. 1 minute Reuters exclusively revealed Germany’s VNG will transfer euro payments for Russian gas to Gazprombank...


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...