Microsoft recently disclosed that since September 2021, a large-scale phishing campaign has targeted over 10,000 organisations by hijacking Office 365's authentication process, even on accounts secured with multi-factor authentication (MFA). The phishing campaign employs proxy sites that act as an adversary-in-the-middle (AiTM) to circumvent MFA features and steal credentials, which are then used to conduct subsequent business email compromise (BEC) campaigns against other targets. Figure 1 depicts a high-level overview of the AiTM phishing campaign and subsequent BEC.
Figure 1: An overview of the AiTM phishing campaign and subsequent BEC 
With AiTM phishing, cybercriminals place a proxy server between the targeted user and the website they're trying to visit, enabling the cybercriminal to intercept and steal the user's password and session cookie, which are implemented by web services after initial authentication so that the user doesn't have to keep authenticating as they move through the site during the session. Through the stolen session cookie, the attacker gets access to the session via the user. Once the attacker has the stolen credentials and session cookies, they can access the victim's email boxes and run a BEC campaign, in this case payment fraud.
Listed below are some recommendations for users as preventive measures and mitigation steps against these attacks:
- Be vigilant about phishing attempts. Always be wary of suspicious emails and verify before clicking any links or downloading any attachments, especially if the email comes from an unfamiliar sender.
- Verify a link in an email/SMS by checking the domain name of the site, as it is an indicator of whether the site is legitimate. Users can hover their mouse over the link to ensure that they are being directed to the Uniform Resource Locator (URL) stated.
- Enable conditional access policies. Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
- Invest in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign.
- Continuously monitor for suspicious or anomalous activities:
- Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).
- Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.
- Report security incidents to relevant authorities or to CERTs/CSIRTs in your constituency for immediate remediation and mitigations.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT