A sophisticated BEC campaign has been observed using advanced spear-phishing with Adversary-in-the-Middle (AiTM) attacks to hack Microsoft 365 accounts belonging to corporate executives.
Researchers from Mitiga have discovered the ongoing BEC campaign during an incident response case and claim that it is widespread now, targeting transactions of several million dollars each.
The phishing emails tell the target organization that the corporate bank account they use for sending usual payments is frozen due to a financial audit and further provide new payment instructions.
These new payment instructions suggest the target switch to a new bank account of a so-called alleged subsidiary. However, the new bank account is owned by the attackers for stealing payments.
To fool the targets, the attacker hijacks email threads and uses typo-squatted domains that swiftly pass as authentic to CCed legal representatives known to victims, involving them in the exchange.
The infection chain
The attack on corporate executives starts with a phishing email pretending to come from DocuSign, the electronic agreements management platform used widely in corporations.
The email doesn't pass DMARC checks, however, it targets the common security misconfigurations often used to limit false positive spam alerts from DocuSign, allowing the email to get inside the target's inbox.
When the target clicks on the ‘Review Document’ button to open it, the victim lands at a phishing page on a spoofed domain. At that place, the target is urged to log in to the Windows domain.
Using AiTM attacks to bypass MFA
The attackers seem to be using a phishing framework, evilginx2 proxy, to perform the AiTM attack.
When a target inputs their credentials and solves the MFA question, the proxy sitting in the middle steals the session cookie generated by the Windows domain.
The attackers can now load the stolen session cookies into their own browsers to log into the victim's account and bypass MFA automatically, which was verified in the previous login.
In one of the observed cases, the attackers added a smartphone as the new authentication device to ensure uninterrupted access to compromised accounts remains available to them.
Further, the attackers used this stealthy breach to exclusively access SharePoint and Exchange. On the basis of logs, no activity was spotted in the victim's inbox, maybe they only read emails.
The recent BEC campaign is very sophisticated and displays the technical capability of attackers behind it. Thus, corporate executives must stay vigilant. If suspected of any incident, Windows admins are suggested to monitor MFA changes on user accounts using Azure AD Audit Logs.