Microsoft email service users need to be careful out there. That's because Zscaler, a cybersecurity research firm, has discovered a new ongoing phishing campaign targeting Microsoft email users. According to its findings, corporate users are under attack and the campaign is being run using adversary-in-the-middle (AiTM) technique to bypass multi-factor authentication (MFA).
The AiTM technique, as the name suggests, places an adversary in the middle to intercept the authentication process between the client and the server to steal credentials during the exchange. This means the MFA information is also stolen. Basically the adversary in the middle acts like the server to the real client and the client to the real server. The image below, ironically from Microsoft itself, shows how AiTM works:
The analysis of this phishing campaign was done by Zscaler's ThreatLabz and it has summarized the attack into the following key points below:
- Corporate users of Microsoft's email services are the main targets of this large-scale phishing campaign.
- All these phishing attacks begin with an email sent to the victim with a malicious link.
- The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor.
- In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign.
- Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the US, UK, New Zealand and Australia are targeted.
- A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks.
- Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems.
- Numerous URL redirection methods are used to evade corporate email URL analysis solutions.
- Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign.
Zscaler also notes some attacker-registered domains which were typo-squatted versions of legitimate Federal Credit Unions in the US:
Attacker-registered domain Legit Federal Credit Union domain crossvalleyfcv[.]org crossvalleyfcu[.]org triboro-fcv[.]org triboro-fcu[.]org
portconnfcuu[.]com portconnfcu[.]com oufcv[.]com oufcu[.]com
You can find more technical details in the official blog post on Zscaler's website here.