“Dozens” of organizations around the world have been targeted as part of a widespread business email compromise (BEC) campaigns involving the use of adversary-in-the-middle (AitM) techniques to carry out attacks.
“Following a successful phishing attempt, the threat actor gained initial access to one of the victim’s employee accounts and executed a ‘enemy in the middle’ attack to bypass Office365 authentication and gain persistence access to that account,” researchers Sygnia said in a report shared with The Hacker News.
“Once gaining persistence, the threat actor extracts data from the compromised account and uses its access to deploy phishing attacks against other victims’ employees along with some external target organizations.”
The findings come less than a week after Microsoft detailed a similar combination of AitM phishing and BEC attacks aimed at banking and financial services organizations.
BEC scam usually require deceive targets via email to send money or divulge confidential company information. As well as personalizing emails to intended victims, attackers can also impersonate trusted figures to achieve their goals.
This, in turn, can be achieved by seizing control of the account through an elaborate social engineering scheme, after which the fraudster sends the company’s client or supplier an email with a fake invoice requesting payment to the fraudulent bank account.
In a chain of attacks documented by Sygnia, attackers are seen sending phishing emails containing links to purported “shared documents” which ultimately redirect victims to AitM phishing pages designed to retrieve entered credentials and one-time passwords.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
What’s more, threat actors are said to have abused temporary access to compromised accounts to register new multi-factor authentication (MFA) tools to gain persistent remote footing from a different IP address located in Australia.
“In addition to the exfiltration of sensitive data from victim accounts, threat actors use this access to send new phishing emails containing new malicious links to dozens of client employees as well as additional target organizations,” researcher Sygnia said.
The Israeli cybersecurity firm further said that phishing emails spread in a “worm-like manner” from one targeted company to another and among employees within the same company. The exact scale of the campaign is currently unknown.