Novel device registration trick enhances multi-stage phishing attacks

Microsoft has disclosed details of a large-scale phishing campaign using a novel device registration technique to target other enterprises.

Microsoft has shared details of a large-scale phishing campaign that leverages stolen credentials to register devices on a target’s network to extend the attack to other enterprises.

The attack exploits the concept of bring-your-own-device (BYOD) by registering a device using freshly stolen credentials, the second stage of the campaign observed by Microsoft was successful against victims that did not implement multifactor authentication (MFA).

In this scenario, threat actors were able to register their own rogue devices into the victim’s network.

The first phase of the campaign involved stealing credentials in target organizations, most of them located in Australia, Singapore, Indonesia, and Thailand. In the second phase, these credentials were used to expand the attackers’ foothold within the organization “via lateral phishing as well as beyond the network via outbound spam.”

“Connecting an attacker-controlled device to the network allowed the attackers to covertly propagate the attack and move laterally throughout the targeted network. While in this case device registration was used for further phishing attacks, leveraging device registration is on the rise as other use cases have been observed.” reads the analysis published by Microsoft 365 Defender Threat Intelligence Team. “Moreover, the immediate availability of pen testing tools, designed to facilitate this technique, will only expand its usage across other actors in the future.”

The attack chain started with a DocuSign-branded phishing lure containing a link. Upon clicking on the link, the recipient is redirected to a rogue website masquerading as the login page for Office 365 to steal the credentials.

The campaign employed a set of phishing domains registered under .xyz top-level domain belowthe regular expression syntax shared by Microsoft:

UrlDomain matches regex @”^[a-z]{5}\.ar[a-z]{4,5}\.xyz”

The researchers pointed out that a phishing link was uniquely generated for each email, with the victim’s email address encoded in the query parameter of the URL.

Microsoft reported that attackers compromised over one hundred mailboxes in multiple organizations they were also able to implement an inbox rule to prevent detection.

Mailbox rule name	Condition	Action
Spam Filter	SubjectOrBodyContainsWords: “junk;spam;phishing;hacked;password;with you”	DeleteMessage, MarkAsRead

In the second phase, threat actors exploited the lack of MFA to join a device to its Azure Active Directory (Azure AD) instance.

“By using a device now recognized as part of the domain coupled with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers. By removing enough of these suspicious message elements, the attacker thereby significantly expanded the success of the phishing campaign.” continues the report.

“To launch the second wave, the attackers leveraged the targeted user’s compromised mailbox to send malicious messages to over 8,500 users, both in and outside of the victim organization. The emails used a SharePoint sharing invitation lure as the message body in an attempt to convince recipients that the ‘Payment.pdf’ file being shared was legitimate.”

Microsoft provides recommendations to defend against multi-staged phishing campaigns, such as enabling MFA, adopting good credential hygiene, and implementing network segmentation.

“These best practices can limit an attacker’s ability to move laterally and compromise assets after initial intrusion and should be complemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components,” Microsoft concldues.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]