Attackers are trying out a new technique to widen the reach of their phishing campaigns: by using stolen Office 365 credentials, they try to connect rogue Windows devices to the victim organizations’ network by registering it with their Azure AD.
If successful, they are ready to launch the second wave of the campaign, which consists of sending more phishing emails to targets outside the organization as well as within (to expand their foothold).
The Microsoft 365 Defender Threat Intelligence Team has recently spotted a large-scale campaign targeting organizations in Australia and South East Asia.
The campaign started with DocuSign-branded phishing email asking users to review and sign a document. By clicking on the “Review Document” button, the target was taken to a fake login page for Office 365, already pre-filled with their username:
“The victim’s stolen credentials were immediately used to establish a connection with Exchange Online PowerShell, most likely using an automated script as part of a phishing kit. Leveraging the Remote PowerShell connection, the attacker implemented an inbox rule via the New-InboxRule cmdlet that deleted certain messages based on keywords in the subject or body of the email message,” the team explained.
The filter automatically deletes messages containing the words “junk,” “spam,” “phishing,” “hacked,” “password” and “with you,” so the legitimate account user won’t see non-delivery reports and IT notification emails that might have been sent to them.
Next, the attackers installed Outlook onto their own Windows 10 machine and connected it to the victim organization’s Azure Active Directory, “possibly by simply accepting Outlook’s first launch experience prompt to register the device by using the stolen credentials.”
Finally, with that machine becoming part of the domain and the mail client configured like any other regular user within the organizations, the phishing emails sent from the compromised account – fake Sharepoint invitations pointing again to a fake Office 365 login page – became instantly more persuasive .
“Victims that entered their credentials on the second stage phishing site were similarly connected with Exchange Online PowerShell, and almost immediately had a rule created to delete emails in their respective inboxes. The rule had identical characteristics to the one created during the campaign’s first stage of attack,” the team concluded.
Prevention and clean-up
This technique did not work in the majority of the cases, for one simple reason: users had multi-factor authentication (MFA) enabled on their account, so the attackers couldn’t leverage the stolen credentials in the first place.
Organizations should enable MFA for all users and require it when joining devices to Azure AD, as well as consider disabling Exchange Online Powershell for end users, the team advised.
They also shared threat hunting queries to help organizations check whether their users have been compromised via this campaign and warned that resetting the compromised threat is not enough for a thorough clean-up: defenders must also revoke active sessions and tokens associated with compromised accounts, delete mailbox rules created by the attackers, and disable and remove rogue devices joined to the Azure AD.
“The continuous improvement of visibility and protections on managed devices has forced attackers to explore alternative avenues. While in this case device registration was used for further phishing attacks, leveraging device registration is on the rise as other use cases have been observed. Moreover, the immediate availability of pen testing tools, designed to facilitate this technique, will only expand its usage across other actors in the future,” they concluded.
Attackers have many tricks for compromise accounts
A few days ago, Microsoft’s threat intelligence analysts flagged another phishing campaign that targeted hundreds of organizations, this one an attempt to trick users into granting an app named “Upgrade” access to their Office 365 accounts.
“The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified customers,” the analysts shared.
Attackers have also been known to try and bypass Office 365 MFA via rogue apps, by stealing authorization codes / access tokens instead of their credentials.