Microsoft accounts targeted with new MFA-bypassing phishing kit


A new large-scale phishing campaign targeting credentials for Microsoft email services uses a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the aim of the campaign is to breach corporate accounts to carry out BEC (Business Email Compromise) attacks, which divert payments to bank accounts under their control using forged documents.

The targets of the phishing campaign include fin-tech, lending, accounting, insurance and Federal Credit Union organizations in the US, UK, New Zealand and Australia.

The campaign was discovered by Zscaler’s ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors are registering new phishing domains almost daily.

Campaign details

Beginning in June 2022, Zscaler’s analysts noticed a spike in advanced phishing attempts against specific industries and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-cracked versions of legitimate United States Federal Credit Unions, as shown in the table below.

Typos-quatted domains used in the campaign
Typo-cracked domains used in the campaign (Zscaler)

Notably, many phishing emails come from the accounts of executives who work in these organizations, who are likely to have hacked the threat actors before.

Another set of phishing sites used domain names that target using password reset bait as part of their email campaigns:

  • expiration request email access[.]com
  • expirationrequest password reminder[.]com
  • email access password notification[.]com
  • emailaccess-expirynotification[.]com

The threat actors added the links to the emails as buttons embedded in the message body or in attached HTML files that trigger redirects to the phishing pages.

HTML attachment with the phishing URL
HTML attachment with the phishing URL (Zscaler)

The redirects take place through legitimate web sources to evade email and internet security tools, with the threat actors showing a preference for open redirects on Google Ads, Snapchat, and DoubleClick. Unfortunately, some platforms do not consider open redirects a vulnerability, making them available for threat actors to exploit.

Campaign redirection examples
Campaign redirection examples (Zscaler)

CodeSandbox and Glitch are also widely abused in this campaign to help the hackers create new redirection routes without much effort.

“A common method of hosting redirect code is to use web code editing/hosting services: the attacker could use these sites, intended for legitimate use by web developers, to quickly create new code pages, paste in redirect code with the latest URL of the phishing site , and proceed to mass-mail the link to the hosted redirect code to the victims.” – Zscaler

Once the victim reaches the phishing page, JavaScript is fingerprinted, which evaluates whether the target is on a virtual machine or a normal device. This allows the phishing page to be revealed only to valid targets, rather than security software and researchers who may be using virtual machines for analysis.

Site visitor's fingerprints
Phishing site visitor fingerprints (Zscaler)

Bypass MFA with custom phishing kit

With the enterprise rapidly adopting multi-factor authentication, stealing user credentials is not enough to access an account if MFA is enabled. To evade MFA, threat actors turn to tools such as Evilginx2, Muraena, and Modilshka.

Using these reverse proxies, the adversaries can sit in the middle between the victim and the email provider’s server, hence they are called “AiTM” (adversary in the middle).

The email server asks for the MFA code during the login process and the phishing kit passes that request on to the victim, who then enters the OTP into the phishing box. The data is forwarded to the email service, which allows the threat actor to log into the stolen account.

However, the phishing proxy that sits at the center of this exchange can steal the resulting authentication cookies, allowing the threat actors to use these stolen cookies to login and bypass MFA for the specific account.

What makes this campaign stand out is the use of a custom proxy-based phishing kit that has the particularity of using the HTML and XML parsing tool “Beautiful Soup”.

With this tool, the kit can easily modify legitimate login pages obtained from corporate logins and add their own phishing elements. The tool also has the added benefit of: beautifying the HTML in the process.

However, the kit isn’t perfect, as Zscaler found some URL leaks to the requests sent to the Microsoft server, which could allow for detection on the vendor side.

Include the phishing domain in the server request
Leaking the phishing domain in the server request (Zscaler)

Zscaler set up a test instance to allow the attacker to roam and monitor their activities after the compromise and found that the hackers logged into their account eight minutes after the compromise.

Other than logging into the account and evaluating the account and reading some messages, the threat actor did not perform any additional actions.

Leave a Comment

Your email address will not be published.