Microsoft announced today that it is investigating a significant new phishing campaign that employs a “novel technique,” rendering them “traditional phishing remediation playbook” inadequate.
The corporation stressed that the campaign was most successful against targets that did not use multifactor authentication (MFA).
The new method involves device registration — “joining an attacker-operated device to an organization’s network to further propagate the campaign,” Microsoft stated in a blog post.
The attackers took credentials from targeted firms in Australia, Singapore, Thailand, and Indonesia during the initial phase of the campaign, according to Microsoft.
According to Microsoft, the stolen credentials were then used to “expand their foothold” within the target company via lateral phishing and spamming outside the network during the second phase. As part of the campaign’s second step, malicious mails were delivered to over 8,500 people.
Lack of Multifactor Authentication
According to the business, the second step was successful because it targeted organizations that did not have MFA, which needs additional ways of authentication in order to approve a user.
The MFA “foiled the campaign for most targets. For organizations that did not have MFA enabled, however, the attack progressed, ” Microsoft added.
“While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled,” the firm claimed. “The attack’s propagation heavily relied on a lack of MFA protocols. Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain.”
Several earlier Office 365 accounts don’t really have MFA and must rely on “basic authentication,” which consists of a regular username and password. Basic authentication is scheduled to be phased out by Microsoft, but for accounts that continue to rely on it, the dangers of an attack are enormous, according to Okta, an identity platform, in a paper issued this week.
According to the Okta report, Office 365 accounts with basic authentication are ten times more likely to be victimized by attackers than accounts with advanced authentication — and for every valid log-in attempt to a basic authentication account, there are an average of 53 malicious log-in attempts.
Toss aside the playbook
In regards to the device registration approach, Microsoft stated that “connecting an attacker-controlled device to the network allowed the attackers to covertly propagate the attack and move laterally throughout the targeted network,”
According to the organization, device registration was also used in other phishing efforts.
“Leveraging device registration is on the rise as other use cases have been observed,” Microsoft stated. “Moreover, the immediate availability of pen-testing tools, designed to facilitate this technique, will only expand its usage across other actors in the future.”
All of this implies that the “traditional phishing remediation playbook will not be sufficient here,” according to the organization.
“Simply resetting compromised accounts’ passwords may ensure that the user is no longer compromised, but it will not be enough to eliminate ulterior persistence mechanisms in place,” Microsoft stated.
Microsoft recommends canceling active sessions as well as any tokens connected with compromised accounts; deleting any mailbox rules set by the attacker, and disabling/removing any “rogue device” registered to Azure Active Directory by the attacker.
“If these additional remediation steps are not taken, the attacker could still have valuable network access even after successfully resetting the password of the compromised account. An in-depth understanding of this attack is necessary to properly mitigate and defend against this new type of threat,” Microsoft warned.
Microsoft’s emphasis on security
Microsoft is a big cybersecurity provider in its own right, with 715,000 security clients, in addition to supplying some of the largest platforms and cloud services utilized by organizations.
“We deliver advanced end-to-end cross-cloud, cross-platform security solutions, which integrate more than 50 different categories across security, compliance, identity, device management, and privacy, informed by more than 24 trillion threat signals we see each day,” Microsoft CEO Satya Nadella said during the company’s quarterly call with analysts on Tuesday, according to a document posted on the company’s website.
Microsoft’s security business revenue increased 45 percent year over year, reaching $15 billion, according to Nadella. Microsoft Sentinel, the company’s security information and event management (SIEM) platform, currently has 15,000 clients, up 70% from a year ago, he said.