Chris Swagler | August 9th, 2022

Using a customized proxy-based phishing kit, a recent large-scale phishing operation is targeting credentials for Microsoft email services to bypass multi-factor authentication. According to researchers, the campaign’s objective is to access companies’ accounts to carry out business email compromise (BEC) attacks and shift funds to bank accounts under threat operators’ control using forged documents. Various financial technology, lending, accounting, insurance, and Federal Credit Union companies in the United States, United Kingdom, New Zealand, and Australia are among the phishing campaign’s targets. Researchers discovered the campaign is still active and the threat actors are registering new phishing domains virtually every day.

The analysts discovered an increase in sophisticated phishing attacks against particular industries and Microsoft email services users in June 2022. As indicated in the chart below, several registered domains utilized in the campaign are typo-squatted versions of real Federal Credit Unions in the United States. These examples demonstrate the importance of verifying the domains of an email requesting a response from the recipient.

Numerous phishing emails came from executives employed by these companies, whose accounts the threat actors had most likely already infiltrated.

The malicious links were either added to the emails as buttons within the message body or as HTML files that were attached by the threat actors and both methods triggered redirects to phishing pages. The threat actors prefer open redirects on Google Ads, Snapchat, and DoubleClick. The redirections take place through legitimate web pages to help dodge email and internet security tools. Certain platforms don’t view open redirects as a vulnerability, leaving them susceptible to abuse by threat actors. In the campaign, CodeSandbox and Glitch are also heavily used to enable threat operators to quickly establish new redirection routes.

Utilizing websites intended for legal usage by web developers to quickly generate new code pages, put a redirect code with the most recent phishing site’s URL into them, and then send the link to the hosted redirect code to victims in bulk is a common technique for hosting redirection code. Once victims arrive at the phishing page, JavaScript identifies them and determines if they are using a virtual machine or a regular device. This makes it possible to keep security software and researchers who might be utilizing virtual machines for analysis from seeing the phishing page and instead only reveal it to legitimate targets.

With companies using multi-factor authentication, stealing users’ login credentials is no longer sufficient to access accounts if MFA is enabled. Threat actors are using tools like Evilginx2, Muraena, and Modilshka to avoid MFA. The reason these techniques are referred to as adversary in the middle (AiTM) is that the threat operators can use the reverse proxies to stand in between victims and the email providers’ server. During the login process for the email server, the MFA code is requested. The phishing kit passes the request to victims, who enter the OTP on the phishing box. The information is sent to the email service, enabling threat actors to access the stolen accounts.

The phishing proxy, which is present during the transaction, can steal the authentication cookies generated as a result. Threat actors can utilize the cookies to log in and avoid MFA for specific accounts. Using the “Beautiful Soup” HTML and XML parsing tool in a custom-based phishing kit is what distinguishes this campaign from others. Using this tool, the kit can quickly alter authentic login pages that were taken from companies’ logins and add custom phishing components.

Additionally, the tool has the added advantage of making the HTML more attractive. The kit isn’t flawless, even though researchers discovered URL leaks to the requests made to the Microsoft server, making vendor detection possible. Threat operators logged into the accounts eight minutes after the compromise, and a test instance was set up to enable threat operators to roam and watch their post-compromise activities. Threat actors didn’t conduct any additional activities that were apart from logging into accounts, assessing them, and reading the messages.

With threat operators evolving their attack methods and techniques to bypass multi-factor authentication, it’s more important for companies to always remain alert to the latest threat landscape and regularly train employees to detect potential phishing attempts. At SpearTip, our certified engineers utilize external penetration testing to assess companies’ external security controls by simulating attacks from the public internet. The simulations are designed to identify vulnerabilities that allow SpearTip to gain access to its internal environment from the public internet. We probe for and validate vulnerabilities using advanced penetration testing techniques. Recommendations from the ESAs allow companies to harden their overall security posture, better positioning them against external threat operators.

Our tabletop exercises are designed to encourage and strengthen the collaborative planning of companies’ incident response teams. We identify key findings, opportunities for improvement, and key takeaways related to current policies and procedures to strengthen companies’ ongoing security postures.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.