Leading software giant, Microsoft, uncovered a sophisticated multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack targeting banks and financial organisations, as reported by TechRepublic.
The cyberattack, dubbed Storm-1167, emanated from a compromised trusted vendor. Threat actors used an indirect proxy to execute a string of AiTM and follow-on BEC attacks across multiple organisations.
A unique modus operandi was used by the attackers to carry out this sophisticated AiTM campaign. The victims were presented with a phishing website imitating the login page of the targeted application. The authentication page, as described by the tech behemoth, “contained resources loaded from an attacker-controlled server, which initiated an authentication session with the authentication provider of the target application using the victim’s credentials.”
The use of indirect rather than conventional direct reverse proxy methods granted the threat actors flexibility of customising the phishing pages and executing cookie hijacking.
“This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organisations with the intent of financial fraud,” Microsoft explained in the report.
The AiTM attack was initiated with a phishing email containing a unique seven-digit code which was sent to the target, imitating one of its delegated vendors. Victims were tricked into giving their login credentials and time-based one-time passwords (TOTPs) to attackers using a fake Microsoft user sign-in page. The hackers then used this stolen data to spoof the authorised user and access their mailbox executing a session-cookie replay attack. This unauthorised access was eventually used to exploit sensitive emails and generate a second-stage BEC attack.
To bypass threat detection while using the hacked credentials, the cybercriminals added a new OTP-based multi-factor authentication (MFA) to the spoofed account.
The hacker exerted complete control of the victim’s mailbox and rolled out a massive phishing campaign of a staggering 16,000+ emails, targeting the victim’s contacts both within and outside the organisation and the distribution lists. The recipients who clicked the malicious URL in the phishing email were subsequently targeted by another AiTM attack.
That said, the tech giant has urged banks and financial organisations to deploy essential threat detection measures, such as MFA complemented with conditional access policies, to evade cyberattacks. In addition, with the cyber threat landscape evolving in complexity and sophistication, ensuring continued tracking of anomalous or suspicious activities across an organisation, and arranging periodic cybersecurity awareness training for staffers has become a dire need.
Without further detailing the BEC attack, Microsoft, in the disclosure, warned organisations about the recent surge in BEC activities and highlighted the sophisticated techniques threat actors are employing to execute cyberattacks. According to the tech behemoth, tactics such as using platforms like BulletProftLink, residential IP addresses, etc., allow hackers to orchestrate sophisticated phishing campaigns, causing organisations to face serious repercussions. High-end cybersecurity awareness training programs offered by services, such as CultureAI, can help employees improve their cybersecurity behaviour and strengthen their cybersecurity posture.
Sohela is an electrical engineer and a self-professed writer with a keen interest in all things tech. When she’s not writing killer content pieces, you’ll find her enjoying tempting foods in her favourite restaurants.