Large-Scale Phishing Attacks Targeting Microsoft Enterprise Email Services

Written by

Security researchers from ThreatLabz have uncovered a new strain of a large-scale phishing campaign using adversary-in-the-middle (AiTM) techniques along with several evasion tactics.

According to an advisory published by the company on Tuesday, similar AiTM phishing techniques were used in a separate phishing campaign described by Microsoft last month.

Now, ThreatLabz revealed that using intelligence gathered from the Zscaler cloud, it observed an increase in the use of advanced phishing kits in a large-scale campaign in June.

The security firm explained the new campaign stood out from “commonly seen” phishing attacks for a number of reasons.

Firstly, just like the campaign spotted by Microsoft, it used AiTM to bypass multi-factor authentication (MFA). Secondly, it used several evasion techniques across various stages of the attack designed to bypass typical email security and network security solutions.

In fact, based on the data analyzed by ThreatLabz, the company believes the campaign is specifically designed to reach end users in enterprises that use Microsoft's email services. 

“Business email compromise (BEC) continues to be an ever-present threat to organizations and this campaign further highlights the need to protect against such attacks,” the advisory read.

According to ThreatLabz, all these phishing attacks begin with an email sent to the victim with a malicious link, and the campaign is active at the time of writing, with new phishing domains being registered almost every day by the threat actors.

“Based on our cloud data telemetry, the majority of the targeted organizations were in the fintech, lending, finance, insurance, accounting, energy and federal credit union industries,” ThreatLabz said.

Additionally, the firm said most of the targeted organizations were located in the United States, the United Kingdom, New Zealand and Australia.

To protect against these attacks, ThreatLabz said multi-factor authentication (MFA) should be used, but not be considered a silver bullet.

“With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions.”

As an extra precaution, ThreatLabz explained users should not open attachments or click on links in emails sent from untrusted or unknown sources. 

“As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials."

What’s hot on Infosecurity Magazine?