Banking and financial services organizations are targets of new multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attacks, Microsoft has revealed.
“The attack originates from a compromised trusted vendor and redirects to a suite of AiTM attacks and follows BEC activity spanning multiple organizations,” the tech giant said. disclosed in Thursday’s report.
Microsoft, which tracks the cluster under the emerging moniker Hurricane-1167citing the group’s use of indirect proxies to carry out attacks.
This allows attackers to flexibly adapt phishing pages to their targets and perform session cookie theft, underscoring the continued sophistication of AitM attacks.
Its modus operandi is unlike that of other AitM campaigns in which the decoy page acts as a reverse proxy to harvest time-based credentials and one-time passwords (TOTP) entered by victims.
“The attacker presents the target with a website that mimics the targeted application’s login page, as in a traditional phishing attack, hosted on a cloud service,” Microsoft said.
“The login page contains resources loaded from an attacker-controlled server, which initiates an authentication session with the authentication provider of the target application using the victim’s credentials.”
The chain of attacks begins with a phishing email leading to a link, which, when clicked, directs victims to visit a fake Microsoft sign-in page and enter their credentials and TOTP.
The harvested password and session cookies are then used to impersonate the user and gain unauthorized access to email inboxes via replay attacks. That access is then misused to obtain sensitive emails and orchestrate BEC attacks.
What’s more, a new SMS-based two-factor authentication method is added to target accounts to log in using stolen credentials without attracting attention.
In the incidents analyzed by Microsoft, the attackers are said to have started a mass spam campaign, sending more than 16,000 emails to the compromised users’ contacts, both inside and outside the organization, as well as distribution lists.
Adversaries have also been observed taking steps to minimize detection and building persistence by responding to incoming emails and then taking steps to remove them from mailboxes.
Ultimately, the recipient of the phishing email was subjected to a second AitM attack to steal their credentials and trigger another phishing campaign from the email inbox of one of the users whose account was hacked as a result of the AitM attack.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“This attack demonstrates the complexity of the AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers and other partner organizations with the aim of financial fraud,” the company added.
The development comes less than a month after Microsoft be warned from the surge in BEC attacks and the growing tactics used by cybercriminals, including the use of platforms, such as BulletProftLink, to create industrial-scale malicious mail campaigns.
Another tactic requires using residential internet protocol (IP) addresses to make attack campaigns appear locally, the tech giant said.
“The BEC threat actor then purchases IP addresses from a residential IP service that matches the victim’s location, creating a residential IP proxy that empowers cybercriminals to mask their origin,” Redmond explained.
“Now, armed with the local address space to back up their malicious activity in addition to usernames and passwords, BEC attackers can obfuscate moves, circumvent ‘travel impossible’ flags, and open the gates for further attacks.”