Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victim’s network to further propagate spam emails and widen the infection pool.
The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target’s bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials.
The attacks took place in two stages. “The first campaign phase involved stealing credentials in target organizations located predominantly in Australia, Singapore, Indonesia, and Thailand,” Microsoft 365 Defender Threat Intelligence Team said in a technical report published this week.
“Stolen credentials were then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organization via lateral phishing as well as beyond the network via outbound spam.”
The campaign started with users receiving a DocuSign-branded phishing lure containing a link, which, upon clicking, redirected the recipient to a rogue website masquerading as the login page for Office 365 to steal the credentials.
The credential theft not only resulted in the compromise of over 100 mailboxes across different companies, but also enabled the attackers to implement an inbox rule to thwart detection. This was then followed by a second attack wave that abused the lack of MFA protections to enroll an unmanaged Windows device to the company’s Azure Active Directory (AD) instance and spread the malicious messages.
images from Hacker News