Spear-phishing and AiTM Used to Hack MS Office 365 Accounts

The campaign

• The phishing emails tell the target organization that the corporate bank account they use for sending usual payments is frozen due to a financial audit and further provide new payment instructions.
• These new payment instructions suggest the target switch to a new bank account of a so-called alleged subsidiary. However, the new bank account is owned by the attackers for stealing payments.
• To fool the targets, the attacker hijacks email threads and uses typo-squatted domains that swiftly pass as authentic to CCed legal representatives known to victims, involving them in the exchange.

The infection chain

• The email doesn't pass DMARC checks, however, it targets the common security misconfigurations often used to limit false positive spam alerts from DocuSign, allowing the email to get inside the target's inbox.
• When the target clicks on the ‘Review Document’ button to open it, the victim lands at a phishing page on a spoofed domain. At that place, the target is urged to log in to the Windows domain.

Using AiTM attacks to bypass MFA

• When a target inputs their credentials and solves the MFA question, the proxy sitting in the middle steals the session cookie generated by the Windows domain.
• The attackers can now load the stolen session cookies into their own browsers to log into the victim's account and bypass MFA automatically, which was verified in the previous login.
• In one of the observed cases, the attackers added a smartphone as the new authentication device to ensure uninterrupted access to compromised accounts remains available to them.
• Further, the attackers used this stealthy breach to exclusively access SharePoint and Exchange. On the basis of logs, no activity was spotted in the victim's inbox, maybe they only read emails.

Conclusion