Microsoft discloses ‘large-scale’ phishing campaign that uses new tactic

Did you miss a session from the Future of Work Summit? Visit our Future of Work Summit on-demand library to stream.


Microsoft said today that it has examined a major new phishing campaign that uses “innovative technology” that renders “traditional phishing solution playbook” inadequate.

The company insisted that the campaign was successful primarily against targets that did not use multi-factor authentication (MFA).

Microsoft described it as a “large-scale, multi-stage campaign.” The new tactic involves device registration – “connecting the device operated by the attacker to the organization’s network to further promote the campaign,” the company said in a blog post.

In the first phase of the campaign, the attackers stole credentials from target organizations located “primarily” in Australia, Singapore, Thailand and Indonesia, Microsoft said.

Later in the second phase, the stolen credentials were used to “extend their legs” to the victim’s organization, using lateral phishing with spam outside the network, according to Microsoft. As part of the second phase of the campaign, malicious messages were sent to more than 8,500 users.

Lack of MFA

The company said the second phase was successful in targeting organizations that do not have MFA, which requires additional testing methods to authenticate the user.

MFA “thwarted the campaign for the most part. For organizations that are not MFA capable, however, the attack continued, “Microsoft said.

“While the first wave was compromised with multiple users across different organizations, the attack for most targets could not proceed at this stage because they were MFA capable,” the company said. “Propaganda of the attack is closely related to the lack of MFA protocol. Enabling MFA for Office 365 applications or when registering new devices could disrupt the second phase of the attack chain. “

Some older Office 365 accounts do not support MFA, and are restricted to “basic authentication” – a standard username and password. Basic authentication will be disabled by Microsoft, but for accounts that rely on it, the risk of an attack is much higher, the identity platform Octa said in a report released this week.

The Octa report found that Office 365 accounts with default authentication are 10 times more likely to be targeted by attackers than accounts with modern authentication – and that the default authentication account contains an average of 53 malicious logs for each legitimate login attempt. – In efforts for accounts.

Throw out the playbook

In terms of device registration tactics, “connecting an attacker-controlled device to a network can allow attackers to secretly propagate an attack and move sideways across the entire targeted network,” Microsoft said.

Device registration was used for additional phishing attacks, according to the company.

“The benefit of device registration is increasing as other cases of use have been observed,” Microsoft said. “Furthermore, the immediate availability of pen testing tools designed to simplify this technique will only expand its use among other artists in the future.”

All of this means that “the traditional phishing solution playbook will not be enough here,” the company said.

“Just resetting the passwords of the compromised accounts may ensure that the user will no longer be tampered with, but that is not enough to remove the unpleasant persistence practices in place,” Microsoft said.

Additional measures recommended by Microsoft include: canceling active sessions with any token associated with compromised accounts; Deleting any mailbox rules created by the attacker; And disable / remove any “rogue device” attached to the Azure Active Directory by the attacker.

“If these additional measures are not taken, the attacker may still have valuable network access even after successfully resetting the password of the compromised account. An in-depth understanding of this attack is necessary to properly mitigate and defend against this new type of threat, “said Microsoft.

Microsoft’s security focus

In addition to providing some of the largest platforms and cloud services used by businesses, Microsoft is a major cyber security vendor in its own right with 715,000 security clients.

“We deliver state-of-the-art end-to-end cross-cloud, cross-platform security solutions that integrate more than 50 different categories into security, compliance, identification, device operation and privacy, with over 24 trillion threats reported. That’s what we all want. Days, “Microsoft CEO Satya Nadella said during a quarterly call with the company’s analysts on Tuesday, according to a transcript posted by the company on its website.

Revenue from Microsoft’s securities business has grown by 45%, surpassing $ 15 billion year-on-year in the last 12 months, Nadella said. Microsoft Sentinel, the company’s security information and event management (SIEM) platform, now has 15,000 subscribers, up 70% from a year ago.

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.