Hackers use rogue websites to attack organizations with lateral phishing

Parv Kohli

January 28, 2022

Microsoft has disclosed details of phishing campaigns used to target organizations by using stolen credentials to register on devices on the victim's network and spread spam emails to increase the infection pool. Microsoft also said that the attack occurs through the accounts that were not secured using multi-factor authentication ( MFA), making it easier to take advantage of the target's bring your policy policies. The dual staged campaign starts with initially stealing the credentials of the target organizations, which predominantly belong in Australia, Singapore, Indonesia, and Thailand. These stolen credentials are used in the second phase when the attackers use the compromised accounts to expand their foothold within the organization via lateral phishing and beyond the network via outbound spam. The campaign starts with users receiving a link that redirects them to a rogue website posing as the login page for Office 365 to steal the credentials. The credential theft resulted in the compromise of over 100 mailboxes across different companies. It was followed by a second attack wave that abused the lack of MFA protections to enroll an unmanaged Windows device to the company's Azure Active Directory (AD) instance and spread the malicious messages. "To launch the second wave, the attackers leveraged the targeted user's compromised mailbox to send malicious messages to over 8,500 users, both in and outside of the victim organization," Microsoft said. "The emails used a SharePoint sharing invitation lure as the message body in an attempt to convince recipients that the 'Payment.pdf' file being shared was legitimate." In addition to turning on MFA, implementing best practices such as good credential hygiene and network segmentation can "increase the 'cost' to attackers trying to propagate through the network."Such safe practices limit the attacker's options and prevent them from moving laterally or compromising assets.

Abridged fromThe Hacker News