Microsoft email users targeted in new phishing campaign that can bypass MFA

Fintech, insurance, accounting, lending and credit union entities in the US, UK, New Zealand and Australia have been targeted in what seems to be an effort to steal funds

A new widespread phishing effort that targets Microsoft email users and use adversary-in-the-middle (AiTM) and other evasion techniques to bypass multifactor authentication (MFA) protections has been discovered by researchers at cybersecurity company Zscaler's ThreatLabz.

Early in July, Microsoft released details of a similar campaign, which exploited the AiTM technique to bypass MFA and targeted more than 10,000 organisations.

Zscaler researchers describe the new attack as one with high level of sophistication.

They believe the objective of the campaign is to hack into corporate accounts in order to carry out BEC (business email compromise) attacks and shift funds to accounts under their control using forged documents.

Fintech, insurance, accounting, lending and Federal Credit Union entities in the US, UK, New Zealand and Australia are among the targets of the phishing attempt.

Zscaler researchers saw a rise in sophisticated phishing attacks in June 2022 targeting certain sectors and users of Microsoft email services.

All of these phishing attacks started with the victim receiving an email with a malicious link.

Malicious emails either included HTML attachments with the link or a direct link to a phishing site. In either case, the user must activate the link in order to begin the infection chain.

The researchers discovered that hackers had created a number of new domains that were typosquatted replicas of legitimate American Federal Credit Unions in the US. Notably, a large number of phishing emails came from executives employed by these companies, whose accounts the threat actors had most likely compromised earlier.

As part of the campaign, another group of phishing websites used domain names that focus on using password reset lures.

After the malicious code was successfully implemented and a particular account hacked, that same account was then used to send more phishing emails to other business accounts.

The campaign employs a number of redirection strategies. For example, the attackers use online code editing services such as CodeSandbox and Glitch and Open Redirect pages hosted by Google Ads to host the URL redirection code.

Once the victim arrives at the phishing website, they are fingerprinted by JavaScript, which determines if they are using a virtual machine or a physical device.

This ensures that the phishing page is only shown to those who are likely to fall for the scam, rather than to security software or researchers who may be conducting their investigations using virtual machines.

The threat actors use AiTM approach to bypass MFA. The custom proxy-based phishing kit gives attackers the ability to run a proxy in between the target's device (the "client") and the mail server that they are sending queries to (thus "in the middle").

Because of the proxy, the threat actor can intercept all the information that is exchanged between the client and the server.

"Even though security features such as multifactor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks," the researchers warned.

"With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions.

"As an extra precaution, users should not open attachments or click on links in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials."