Microsoft researchers have uncovered a huge phishing campaign that targeted thousands of organizations and used a simple, yet highly effective, method to steal users’ passwords and sessions cookies to take over their Office 365 accounts and attempt to run business email compromise schemes from those accounts.
The campaign began in September 2021 and the unnamed attackers behind it tried to target as many as 10,000 organizations in the next few months. The phishing emails typically included an HTML attachment that masqueraded as a voice memo. When a victim clicked on the attachment, the browser was sent to a redirector site that eventually led to a fake Microsoft login site. The attackers used the well-known Evilginx2 phishing toolkit to construct the pages. Victims who entered their credentials on the phishing site were actually redirected to their legitimate company Office 365 site.
But during that authentication process, the attackers’ site was acting as a proxy between the victim and the legitimate site, stealing the password and session cookie. If the victim’s account has MFA enabled, the phishing site proxies the request for additional authentication, as well, so that when the attacker uses the credentials to access the victim’s account later, the cookie will be marked as having authenticated with MFA. That enables the attacker to bypass MFA on compromised accounts. This technique does not exploit any vulnerability in an MFA system, but enables the attacker to circumvent it.
“The phishing page has two different Transport Layer Security (TLS) sessions—one with the target and another with the actual website the target wants to access. These sessions mean that the phishing page practically functions as an AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies. Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target’s MFA is enabled,” the Microsoft analysis says.
“The phishing site proxied the organization’s Microsoft Entra ID (Microsoft Entra ID) sign-in page, which is typically login.microsoftonline.com. If the organization had configured their Microsoft Entra ID to include their branding, the phishing site’s landing page also contained the same branding elements.”
Phishing campaigns that impersonate legitimate login screens are quite common, but many of them are relatively easy to identify and avoid. The use of a proxy to forward requests and responses between the victim and the target service makes it more difficult for victims to realize what’s happening as all of the malicious actions are happening in the background, out of sight. And once the attackers had access to a victim’s inbox, things got even worse from there. They began using compromised accounts as bases for payment fraud operations, a tactic that has become a favorite of some cybercrime groups in the last few years. Part of this tactic usually involves replying to existing email threads about payments, a method that makes malicious messages look legitimate.
“The following days after the cookie theft, the attacker accessed finance-related emails and file attachments files every few hours. They also searched for ongoing email threads where payment fraud would be feasible. In addition, the attacker deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access,” Microsoft said.
“These activities suggest the attacker attempted to commit payment fraud manually. They also did this in the cloud—they used Outlook Web Access (OWA) on a Chrome browser and performed the above mentioned activities while using the compromised account’s stolen session cookie.”
The attackers took several measures to cover their tracks, including creating rules to send all emails from the domain of a payment fraud target to the archive folder and mark them as read, deleting relevant emails from the sent folder, and deleting the targets messages.
“On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets’ organization domains,” Microsoft said.