Recently, Microsoft’s Defender Experts uncovered a sophisticated multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack, which targeted banking and financial services organizations. The attack, tracked as Storm-1167, was initiated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations. The aim was financial fraud, exploiting trusted relationships between vendors, suppliers, and partner organizations.
The multi-stage AiTM phishing and BEC attack began with a phishing email from a trusted vendor, which contained a unique seven-digit code as the subject. The email body included a link to view or download a fax document, which led to a malicious URL hosted on Canva.com. The attackers cleverly leveraged the legitimate service Canva for the phishing campaign, using it to host a page that showed a fake OneDrive document preview and linked to a phishing URL.
Once the victims clicked on the URL, they were redirected to a phishing page hosted on the Tencent cloud platform that spoofed a Microsoft sign-in page. After the victims provided their passwords, the attackers initiated an authentication session with the victims’ credentials. When prompted with multi-factor authentication (MFA), the attackers modified the phishing page into a forged MFA page. Once the victims completed the MFA, the session token was captured by the attackers.
The attackers then used the stolen session cookie to impersonate the victims, circumventing authentication mechanisms of passwords and MFA. They accessed email conversations and documents hosted in the cloud, and even generated a new access token, allowing them to persist longer in the environment. The attackers also added a new MFA method for the victims’ accounts, using a phone-based one-time password (OTP) service, to sign in undetected.
The attackers then initiated a large-scale phishing campaign involving more than 16,000 emails with a slightly modified Canva URL. The emails were sent to the compromised user’s contacts, both within and outside of the organization, as well as distribution lists. The recipients were identified based on the recent email threads in the compromised user’s inbox. The subject of the emails contained a unique seven-digit code, possibly a tactic by the attacker to keep track of the organizations and email chains.
The recipients of the phishing emails who clicked on the malicious URL were also targeted by another AiTM attack. Microsoft Defender Experts identified all compromised users based on the landing IP and the sign-in IP patterns. The attacker was observed initiating another phishing campaign from the mailbox of one of the users who was compromised by the second AiTM attack.
This incident highlights the complexity of AiTM attacks and the comprehensive defenses they necessitate. It also underscores the importance of proactive threat hunting to discover new tactics, techniques, and procedures (TTPs) on previously known campaigns to surface and remediate these types of threats. The continuous evolution of these threats, such as the use of indirect proxy in this campaign, exemplifies the need for organizations to stay vigilant and proactive in their cybersecurity measures.