In a campaign that exploits the relationships between different organisations, attackers managed to chain business email compromise (BEC) against four or more organisations jumping from one breached organisation to the next by leveraging the relationships between them. The attack, which Microsoft researchers call multi-stage adversary-in-the-middle (AiTM) phishing, started with a compromise at a trusted vendor and targeted organisations from the banking and financial services sectors.
"This attack shows the complexity of AitM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organisations with the intent of financial fraud," the Microsoft researchers said.
Phishing with indirect proxies
AitM phishing is a now common technique for bypassing multifactor authentication mechanisms that rely on one-time codes users manually enter during login sessions, regardless of how they're received: email, SMS, or generated by a phone app. The most common way to perform AitM is to use a reverse proxy, where the victim connects to an attacker-controlled domain and website that simply proxies all the content and subsequent requests from the real login page of the targeted service.
In such a phishing implementation, for which open-source toolkits are now available, the attackers gain a passive monitoring role of the traffic between the victim and the service they're authenticating. The goal is to capture the session cookie relayed back by the service when authentication is complete and then misuse it to access the victim's account directly. However, this also has downsides for the attackers if additional policies are in place that capture and verify other aspects of the victim's machine because a subsequent login from an attacker could trigger a security alert and flag the session as suspicious.
In the new attack observed by Microsoft, the attackers, which the company track under the temporary Storm-1167 moniker, used a custom phishing toolkit they developed themselves and which uses an indirect proxy method. This means the phishing page set up by the attackers does not serve any content from the real log-in page but rather mimics it as a stand-alone page fully under the attackers' control.
When the victim interacts with the phishing page, the attackers initiate a login session with the real website using the victim-provided credentials and then ask for the MFA code from the victim using a fake prompt. If the code is provided, the attackers use it for their own login session and are issued the session cookie directly. The victim is then redirected to a fake page. This is more in line with traditional phishing attacks.
"In this AitM attack with the indirect proxy method, since the phishing website is set up by the attackers, they have more control to modify the displayed content according to the scenario," the Microsoft researchers said. "In addition, since the phishing infrastructure is controlled by the attackers, they have the flexibility to create multiple servers to evade detections. Unlike typical AitM attacks, there are no HTTP packets proxied between the target and the actual website."
Establishing persistent email access and launching BEC attacks
Once connected to the victim's account, the attackers were seen generating a new access code to give them a longer access time and then proceeded to add a new MFA authentication method to the account -- one that used an SMS service with an Iranian number. They then created an email inbox filtering rule that moved all incoming emails to the Archive folder and marked them as read.
The attack started with a phishing campaign against an employee of a company that acted as a trusted vendor to multiple organisations. The attackers used an URL that pointed to Canva.com, a free online graphic design platform for creating visual presentations, posters, and other graphics. The URL pointed to a page made by the attackers on Canva that mimicked a OneDrive document preview. If clicked, this image took users to a fake Microsoft sign-in page to authenticate.
After compromising an email account at the vendor, the attackers extracted email addresses from existing email threads and sent around 16,000 emails modified with similarly malicious Canva URLs. "The attacker then monitored the victim user’s mailbox for undelivered and out-of-office emails and deleted them from the Archive folder," the Microsoft researchers said. "The attacker read the emails from the recipients who raised questions regarding the authenticity of the phishing email and responded, possibly to falsely confirm that the email is legitimate. The emails and responses were then deleted from the mailbox."
The recipients of the phishing emails from the vendor were similarly directed to an AitM phishing page and the attack chain continued. A victim of the second phishing campaign from a different organisation had their email compromised and used to launch additional phishing emails to partner organisations. The accounts of subsequent victims were abused in a similar way.
Like with software supply chain attacks, this sort of multi-stage AitM phishing and BEC combination can see exponential growth and can reach far down the trust chain. According to a new report by the FBI's Internet Crime Complaint Center (IC3) on June 9, losses from BEC scams increased by 17 per cent between December 2021 and December 2022. The goal of BEC attacks is often to trick recipients into initiating rogue wire transfers, sharing private personal and financial information or transferring cryptocurrency. The IC3 has recorded 277,918 BEC incidents over the past 10 years internationally with a dollar loss of over $50 billion.
"This AitM attack’s use of an indirect proxy is an example of the threat’s increasingly complex and evolving TTPs to evade and even challenge conventional solutions and best practices," the Microsoft researchers said. "Proactively hunting for and quickly responding to threats thus becomes an even more important aspect in securing organisation networks because it provides an added layer to other security remediations and can help address areas of defence evasion."
Some mitigation solutions include using MFA methods that cannot be intercepted with AitM techniques, such as those using FIDO 2 keys and certificate-based authentication. Organisations can also implement conditional access policies that evaluate sign-in requests using additional user or device identity signals such as IP location or device status. Microsoft also recommends implementing continuous access evaluation.