A recent investigation conducted by cybersecurity firm Sygnia revealed evidence of a large-scale global attack campaign that has been ongoing for the past year. The campaign, which targeted Office 365 accounts through an adversary-in-the-middle (AiTM) phishing attack, may be linked to a malware strain called FormBook.
Sygnia’s report highlighted the growing prevalence of business email compromise (BEC) attacks, with a particular focus on AiTM tactics. These attacks involve bypassing multifactor authentication (MFA) to compromise email accounts within organizations. Once compromised, the attackers utilize these accounts to launch further attacks against the contacts of the victims.
The attack campaign uncovered by Sygnia employed similar tactics to those that were recently documented by Microsoft. However, the lure and URLs used in this attack differed from the previous incident. This suggests that multi-stage BEC campaigns using AiTM phishing are now a common occurrence.
The attacks began with the distribution of rogue emails, which claimed to contain a shared document. When recipients clicked on the link in the email, they were redirected to a phishing page hosted on a compromised website. Notably, the attackers added a redirection script to the attack, which passed through a domain hosted on Cloudflare and presented a “I’m not a robot” CAPTCHA verification. This was likely done to evade email security solutions and URL scanners.
Ultimately, real users were taken to a fake Microsoft sign-in page generated by a phishing kit hosted on a suspicious domain. The kit acted as a proxy between the fake page and the real Microsoft authentication page, enabling the attackers to capture authentication details and session cookies. With this information, the attackers could gain unauthorized access to the compromised accounts.
Following this initial compromise, the attackers crafted new phishing emails using information from the victim’s address book. These emails were used in subsequent campaigns against the contacts of the original victims. The researchers observed that the domain hosting the phishing page changed with each new campaign, indicating a reliance on compromised sites as temporary infrastructure.
To determine the scale of the campaign, Sygnia researchers searched for a unique-looking image from the phishing page across scanning services. They identified over 500 unique URLs that followed the same structure and were hosted on various websites. Additionally, the researchers collected telemetry data for an IP address used by the attackers, which led to the discovery of approximately 170 domains and subdomains associated with the threat actor’s infrastructure.
Further analysis revealed that some of the malicious files hosted on these domains were related to FormBook, an infostealer malware that has been active since 2016. FormBook is capable of stealing credentials and other data stored in over 90 applications, recording keystrokes, and capturing data entered into web forms. It remains unclear whether FormBook was specifically leveraged in the BEC campaign or if it was part of separate malicious activities conducted by the same threat actor.
As multi-factor authentication becomes more widespread, attackers are actively seeking ways to bypass this security measure. While open-source phishing toolkits can be utilized in AiTM attacks to capture MFA codes, certain implementation methods are resistant to these attacks. Methods that rely on client-side certificates or employ physical USB keys compatible with the FIDO2 protocol are considered secure against AiTM attacks, as they utilize cryptographic verification to ensure secure communication with the correct website.
In conclusion, the investigation conducted by Sygnia has uncovered a sophisticated and ongoing attack campaign utilizing AiTM phishing and targeting Office 365 accounts. The use of multi-stage BEC attacks and the potential involvement of the FormBook malware highlight the evolving tactics used by threat actors. As these attacks become more prevalent, organizations must remain vigilant and implement robust security measures to protect their systems and sensitive information.