An unknown attack group has been running a phishing and BEC campaign against a variety of banking and financial services organizations that began with the compromise of one of the targets’ trusted vendors and employed techniques that allowed them to bypass MFA protections and target a widening web of other companies.
Researchers at Microsoft identified the campaign and discovered that the attackers were quite deliberate and technically proficient in their actions. Unlike many other such campaigns, this one does not use a server that proxies authentication requests and other data between the target and the sign-in page for the target application. Instead, the attackers employed an indirect proxy that contains a phishing page that is designed to be identical to the legitimate one of the target application. The resources on the page are loaded from an attacker-controlled server and this method gives the attacker more flexibility in what kind of content they can show to the victim.
Business email compromise (BEC) has become a serious problem for both enterprises and SMBs in recent years, causing millions of dollars in losses each year. Cybercrime groups routinely research new targets extensively, mapping out their infrastructure, cloud services, and providers and customers. Attackers often use access to trick victims into transferring funds or diverting goods to places of their choosing.
The attackers in this camapign initially work to steal the victim's session cookie for the target application through a phishing email that leads to the attacker-controlled sign-in page. Once the victim enters the username and password for the account, the attacker then has to get around MFA if it was configured for the account.
“This AiTM attack’s use of indirect proxy is an example of the threat’s increasingly complex and evolving TTPs."
“When MFA is requested after successful password validation, the server displays a fake MFA page. Once the MFA is provided by the user, the attacker uses the same MFA token in the initiated session with the authentication provider. Following successful authentication, the session token is granted to the attacker, and victim is redirected to another page,” the Microsoft researchers said.
With that cookie in hand, the attackers then run a session replay, which uses the stolen authentication cookie to impersonate the victim and authenticate to the target app, which in this case was an email service. The attackers then accessed the inbox of the victim and added a new MFA method to the account, providing a phone number in Iran to receive phone-based one-time passwords. Once that’s done, the attackers added rules that would divert all incoming messages to the archive folder in the inbox and mark them all as read. They then used the compromise account as a platform to launch a large phishing campaign against the victim’s contacts.
As in other BEC and phishing campaigns, the attackers kept a watch on the compromised inbox and deleted any automated replies or other responses that would raise questions. Anyone inside the victim organization who clicked on the malicious link in the phishing email then went through the same series of logins as the original victim, and the attackers began a second phishing campaign from one of those secondary victims.
“This AiTM attack’s use of indirect proxy is an example of the threat’s increasingly complex and evolving TTPs to evade and even challenge conventional solutions and best practices. Proactively hunting for and quickly responding to threats thus becomes an even more important aspect in securing organization networks because it provides an added layer to other security remediations and can help address areas of defense evasion,” the researchers said.
Microsoft refers to the attackers in this campaign as Storm-1167, with Storm being the company’s new designation for a new or emerging threat group.