Microsoft warns of multi-stage adversary-in-the-middle (AitM) phishing and business email compromise attacks. These target energy sector organizations. Attackers use clever tricks to steal credentials and take control.
How the Attack Starts
Attackers begin with a phishing email. They send it from a trusted, previously compromised email address. The message pretends to be a SharePoint document-sharing notification. This makes it look legitimate.
For example, recipients see a familiar workflow. Therefore, they click the link without suspicion. This method uses living-off-trusted-sites tactics. It abuses common tools like SharePoint and OneDrive.
The Phishing Trick Unfolds
The link redirects to a fake login page. Users enter credentials to “view” the document. Attackers capture the details and session cookies. Immediately, they gain access to the account.
Next, attackers create inbox rules. These rules delete incoming emails and mark them as read. However, this hides their activity from the victim. The compromised inbox then sends more phishing messages.
Expanding the Attack
In one example, attackers sent over 600 phishing emails. They targeted the victim’s contacts inside and outside the organization. Additionally, they deleted undelivered or out-of-office replies. If someone questioned the email, attackers responded to build trust.
Then, they deleted the conversation from the mailbox. These steps help maintain persistence. Therefore, victims stay unaware for longer. Microsoft notes these techniques appear in many BEC attacks.
Why These Attacks Succeed
Attackers exploit trusted platforms. This bypasses email detection tools. For instance, emails come from real addresses. Links use familiar services. Consequently, suspicion remains low.
Moreover, the campaign shows operational complexity. Password resets alone do not fix the problem. Attackers keep sessions active with cookies. They also add rules to evade notice.
Broader Trends in Phishing
Threat actors increasingly abuse trusted services. Examples include Google Drive, AWS, and others. This avoids building custom infrastructure. It makes attacks look normal.
Separately, advanced phishing kits target voice calls. Attackers pose as support staff. They trick users into visiting malicious sites. Real-time control bypasses MFA in some cases.
Additionally, campaigns use deceptive URLs. Some place trusted domains before the @ symbol. Others swap letters like “rn” for “m”. These homoglyph tricks fool users easily.
Prevention Strategies
Organizations can prevent these issues with strong measures. First, implement phishing-resistant multi-factor authentication. This blocks credential theft effectively. Second, enable conditional access policies and continuous evaluation.
Moreover, monitor emails and websites for threats. Revoke suspicious session cookies quickly. Remove attacker-created inbox rules promptly. Work with your identity provider for better controls.
Specialized services help too. For example, 24/7 monitoring centers detect unusual activity early. Regular testing identifies weaknesses before attacks succeed. These steps reduce risks from phishing and BEC campaigns significantly.
Sleep well, we got you covered.
