Phishing – Adversary-in-the-Middle (AitM) – Credential Harvesting – Account Compromise – All Industries
The Rundown
Deepwatch Adversary Tactics and Intelligence team has been responding to multiple attacks in customer environments related to an Microsoft 365 (M365) adversary-in-the-middle (AitM) phishing campaign. Deepwatch has observed multiple accounts compromised by this campaign. The activity we have observed overlaps with activity reported by Field Effect in a July 5th blog post. This is an ongoing investigation and, if deemed necessary, additional details will be provided
This phishing campaign could pose a significant threat to organizations by compromising Microsoft 365 accounts, potentially exposing sensitive data and operational processes to malicious actors. Understanding and mitigating these attacks are crucial to enhance cyber resilience.
If you have questions or feedback about this intelligence, you can submit them here.
The Attack Chain
In Field Effect’s blog post, they report on their observations of an attacker who sent phishing emails to targets from a compromised account. These emails included a link to a malicious domain that masquerades as a Microsoft document share notice, luring the recipient to click the words “VIEW ONLINE || DOWNLOAD.”
When the recipient clicks these words, they are redirected to a Cloudflare hosted URL and displays a popup, requesting the visitor to verify they are human. Once the visitor verifies, they are shown a fake Microsoft login page.
During Deepwatch’s investigation, we noticed that login attempts were performed with an Axios user agent string (axios/1.x.x). Axios is a publicly available promise-based HTTP client that supports the ability to make, intercept, transform, and cancel HTTP request and response data. It also allows the user to change the user agent string.
According to Field Effect, the credential harvesting login pages employed Axios’s infrastructure to capture and use the credentials to login to the victim’s M365 account. Field Effect deduces that the attacker is using the Axios application to proxy login requests from the legitimate account owner.
At this time, it is unknown what the attackers intentions are as limited post-account compromise activity has been observed. We have identified that the attacker browsed SharePoint and OneDrive, accessing files with financial related names. It’s plausible that the attacker intends to sell or post the credentials to darkweb forums or Telegram channels. It’s also possible that the attacker intends to access victims’ email accounts and data for intelligence collection purposes.
Actions & Recommendations
Deepwatch experts continuously monitor for threats to our customers and their cloud environments when logging is available. The Adversary Tactics and Intelligence team regularly develops and updates detection signatures and adds malicious observables to our indicator feeds based on our intelligence operations. We also use this intelligence report to conduct threat hunting. However, Deepwatch experts can not discover all activity due to limitations in the log sources that Deepwatch receives.
We also recommend the following actions and recommendations to enhance cyber resilience:
- Employ Multi-factor Authentication on all accounts.
- Provide phishing awareness training to all employees.
- Ensure existing detection rules and security solutions can monitor and consider blocking known atomic and computed indicators associated with this attack.
Organizations that have been impacted by this campaign should perform the following actions:
- Log impacted accounts out of all instances and rotate their credentials.
Technical Artifacts
We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the Be On the Lookout (BOLO) guidance provided below:
- Anomalous authentication events containing the following user agents (especially from IOC’s shown in the article’s observables section or related ISPs: Hostinger International Limited // Global Internet Solutions LLC)
- axios/1.7.2
- axios/1.7.1
- axios/1.6.8
- axios/1.6.7
- agentaxios/1.7.2
- Emails containing links with the URI “flipbook-start-with-pdf/”
- Especially with subject lines referencing common phishing schemes such as “document shared with you”, “payment due”, “invoice #”, etc
- Rare/anomalous email inbox or forwarding rules
- Alerts relating to impossible travel activity, especially when paired with the axios user agents in signin logs
- Successful or failed (due to conditional access policy) logon attempts from low-reputation or geographically-anomalous locations
- It is important to note that even if the login was ultimately blocked due to conditional access policy, the threat actor likely still intercepted the credentials which poses a risk despite the failed login result
- IOC’s such as live.dot[.]vu can be hunted in both email sourcetypes and network/web proxy
- It is important to check all available data sources as users with the emails delivered may not have opened/clicked on them yet and can be identified/warned before they fall victim to the AiTM attack
Indicators of Compromise (IoCs)
IoCs identified by Deepwatch investigations:
- 212.18.104[.]19
- 212.18.104[.]60
- 212.18.104[.]150
- 212.18.104[.]158
- 212.18.104[.]159
- 212.18.104[.]183
- 212.18.104[.]184
- 212.18.104[.]186
- 212.18.104[.]187
IoCs provided by Field Effect are available here.
↑
Share