Description

Security Researchers at Mitiga have discovered a new Business Email Compromise (BEC) campaign which combines spear-phishing with Man-in-the-Middle strategies to hack corporate employees' Microsoft 365 accounts, even though they are protected by MFA. When threat actors gain access to the accounts of high-ranking employees such as CEOs and CFOs of large companies, they can monitor communication and respond to emails at the right time to divert a large transaction to their accounts. It is typical of business email compromise attacks where the threat actors request authorizing members to change the destination of the bank account at the last minute from the compromised account. During these attacks, these phishing emails tell the target that the corporate bank account used for their transactions has been frozen due to a financial audit, and include new instructions for sending payments to a new bank account under their control. Later, attackers hijack email threads and use typosquatting domains to fool recipients, which instantly pass as authentic to CCed legal representatives the target knows, including them in the exchange. This Business Email Compromise (BEC) campaign begins by sending a phishing email to the company executives that appears to originate from DocuSign. Since the email doesn't pass DMARC checks and common security misconfigurations created to reduce false positive spam alerts from DocuSign help the email to get into the inbox of the target. If the victim clicks on the "Review Document" button, they are redirected to a phishing site with a spoofed domain, where they are asked to log in to a Windows account. Researchers believe that, an adversary-in-the-middle (AiTM) attack is conducted by threat actors using phishing frameworks like evilginx2 proxy. During the AiTM attacks, the tool evilginx2 acted as proxies between phishing pages and legitimate login forms for targeted companies. In this way, the proxy steals the session cookie that is generated by the Windows domain when the victim enters their credentials and answers the MFA question. This allows hackers to log into the victim's account and bypass the MFA, that was verified during the previous login. Since valid sessions can expire or be revoked, threat actors add a new multi-factor authentication device to the breached Microsoft 365 account, which generates no alerts and doesn't require further interaction from the original account owner. Furthermore, the researchers believed that the hackers used this stealthy breach to access Exchange and SharePoint. The Logs indicate that the attackers didn't access the victim's inbox, perhaps only reading emails. However, it is likely that the attackers waited for the right moment to inject their own emails into the victim's inbox to divert invoice payments to their bank accounts.