A new large-scale phishing campaign targeting credentials for Microsoft email services uses a custom proxy-based phishing kit to bypass multi-factor authentication.
Researchers believe the aim of the campaign is to breach corporate accounts to carry out BEC (Business Email Compromise) attacks, which divert payments to bank accounts under their control using forged documents.
The targets of the phishing campaign include fin-tech, lending, accounting, insurance and Federal Credit Union organizations in the US, UK, New Zealand and Australia.
The campaign was discovered by Zscaler’s ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors are registering new phishing domains almost daily.
Beginning in June 2022, Zscaler’s analysts noticed a spike in advanced phishing attempts against specific industries and users of Microsoft email services.
Some of the newly registered domains used in the campaign are typo-cracked versions of legitimate United States Federal Credit Unions, as shown in the table below.
Notably, many phishing emails come from the accounts of executives who work in these organizations, who are likely to have hacked the threat actors before.
Another set of phishing sites used domain names that target using password reset bait as part of their email campaigns:
- expiration request email access[.]com
- expirationrequest password reminder[.]com
- email access password notification[.]com
The threat actors added the links to the emails as buttons embedded in the message body or in attached HTML files that trigger redirects to the phishing pages.
The redirects take place through legitimate web sources to evade email and internet security tools, with the threat actors showing a preference for open redirects on Google Ads, Snapchat, and DoubleClick. Unfortunately, some platforms do not consider open redirects a vulnerability, making them available for threat actors to exploit.
CodeSandbox and Glitch are also widely abused in this campaign to help the hackers create new redirection routes without much effort.
Bypass MFA with custom phishing kit
With the enterprise rapidly adopting multi-factor authentication, stealing user credentials is not enough to access an account if MFA is enabled. To evade MFA, threat actors turn to tools such as Evilginx2, Muraena, and Modilshka.
Using these reverse proxies, the adversaries can sit in the middle between the victim and the email provider’s server, hence they are called “AiTM” (adversary in the middle).
The email server asks for the MFA code during the login process and the phishing kit passes that request on to the victim, who then enters the OTP into the phishing box. The data is forwarded to the email service, which allows the threat actor to log into the stolen account.
However, the phishing proxy that sits at the center of this exchange can steal the resulting authentication cookies, allowing the threat actors to use these stolen cookies to login and bypass MFA for the specific account.
What makes this campaign stand out is the use of a custom proxy-based phishing kit that has the particularity of using the HTML and XML parsing tool “Beautiful Soup”.
With this tool, the kit can easily modify legitimate login pages obtained from corporate logins and add their own phishing elements. The tool also has the added benefit of: beautifying the HTML in the process.
However, the kit isn’t perfect, as Zscaler found some URL leaks to the requests sent to the Microsoft server, which could allow for detection on the vendor side.
Zscaler set up a test instance to allow the attacker to roam and monitor their activities after the compromise and found that the hackers logged into their account eight minutes after the compromise.
Other than logging into the account and evaluating the account and reading some messages, the threat actor did not perform any additional actions.