Key Takeaways:
- A multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign is targeting organizations in the energy sector.
- The campaign uses SharePoint file-sharing services to deliver phishing payloads and relies on inbox rule creation to maintain persistence and evade user awareness.
- The attack involves credential theft, phishing, and social engineering tactics to trick users into divulging sensitive information.
- Organizations are advised to implement security controls such as phishing-resistant multi-factor authentication (MFA), conditional access policies, and continuous access evaluation to prevent such attacks.
- The campaign highlights the ongoing trend among threat actors to abuse trusted services and exploit human psychology to gain unauthorized access to sensitive information.
Introduction to the Threat
The Microsoft Defender Security Research Team has warned of a complex phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector. The campaign involves a series of adversary-in-the-middle (AitM) attacks and follow-on BEC activity, which have been found to abuse SharePoint file-sharing services to deliver phishing payloads. The attackers rely on inbox rule creation to maintain persistence and evade user awareness, making it challenging for organizations to detect and respond to the threat.
The Attack Vector
The starting point of the attack is a phishing email sent from a compromised email address belonging to a trusted organization. The email masquerades as a SharePoint document-sharing workflow, giving it a veneer of credibility and tricking recipients into clicking on phishing URLs. The use of legitimate email addresses and services like SharePoint and OneDrive makes it difficult for users to distinguish between genuine and malicious emails. This approach is known as living-off-trusted-sites (LOTS), where threat actors exploit the familiarity and ubiquity of trusted platforms to subvert email-centric detection mechanisms.
The Phishing Process
The phishing email redirects users to a fake credential prompt to view the purported document. Once the user enters their credentials, the attackers gain access to the account and create inbox rules to delete all incoming emails and mark all emails as read. The compromised inbox is then used to send phishing messages containing a fake URL designed to conduct credential theft using an AitM attack. In one case, the attacker initiated a large-scale phishing campaign involving over 600 emails sent to the compromised user’s contacts, both within and outside of the organization.
Social Engineering Tactics
The attackers have been observed using social engineering tactics to convince users to divulge sensitive information. They have been found to delete undelivered and out-of-office emails and assure message recipients of the email’s authenticity if they raised any concerns. The correspondence is then deleted from the mailbox, making it challenging for users to detect the phishing attempt. These techniques are common in BEC attacks and are intended to keep the victim unaware of the attacker’s operations, thus helping in persistence.
Remediation and Prevention
Microsoft has advised organizations to work with their identity provider to ensure that security controls like phishing-resistant MFA are in place. Additionally, organizations should enable conditional access policies, implement continuous access evaluation, and use anti-phishing solutions that monitor and scan incoming emails and visited websites. The company has also emphasized the importance of revoking active session cookies and removing attacker-created inbox rules used to evade detection. By taking these measures, organizations can prevent similar attacks and protect their sensitive information from falling into the wrong hands.
The Bigger Picture
The attack outlined by Microsoft highlights the ongoing trend among threat actors to abuse trusted services such as Google Drive, Amazon Web Services (AWS), and Atlassian’s Confluence wiki to redirect to credential harvesting sites and stage malware. This eliminates the need for attackers to build out their own infrastructure and makes malicious activity appear legitimate. The disclosure comes as identity services provider Okta said it detected custom phishing kits designed specifically for use in voice phishing (aka vishing) campaigns targeting Google, Microsoft, Okta, and a wide range of cryptocurrency platforms.
Recent Phishing Campaigns
In recent weeks, phishing campaigns have exploited Basic Authentication URLs by placing a trusted domain in the username field, followed by an @ symbol and the actual malicious domain to visually mislead the victim. Other campaigns have resorted to simple visual deception tricks like using "rn" in place of "m" to conceal malicious domains and deceive victims into thinking they are visiting a legitimate domain associated with companies like Microsoft, Mastercard, Marriott, and Mitsubishi. This is called a homoglyph attack, which becomes even more dangerous when it appears in words that organizations commonly use as part of their brand, subdomains, or service identifiers.
Conclusion
The multi-stage AitM phishing and BEC campaign targeting organizations in the energy sector highlights the importance of implementing robust security controls and educating users about the risks of phishing and social engineering attacks. By understanding the tactics and techniques used by threat actors, organizations can take proactive measures to prevent such attacks and protect their sensitive information from falling into the wrong hands. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and adapt their security strategies to stay ahead of emerging threats.
