Microsoft Office 365 AitM phishing reveals signs of much larger BEC campaign

Researchers investigating an Office 365 account compromise resulting from an adversary-in-the-middle (AitM) phishing attack found evidence of a much larger global attack campaign that spans the past year and is possibly tied to an infostealer malware called FormBook. “In the past few years, Sygnia’s IR teams have engaged in numerous incidents in which world-wide organizations were targeted by BEC attacks,” researchers from cybersecurity firm Sygnia said in their report. “While some of these attacks were focal and concentrated, some were widely spread and affected a massive number of cross-sectors victims.”

Multi-stage AitM and business email compromise

The campaign uncovered by Sygnia uses very similar tactics to an attack campaign that was recently documented by Microsoft in which attackers use AitM phishing to bypass multifactor authentication (MFA) and compromise email accounts inside organizations and then used those accounts to launch additional attacks against their contacts. The attack investigated by Sygnia seems to be different based on the lure and URLs used, but it suggests these sort of multi-stage business email compromise (BEC) campaigns are now a common occurrence.

“Based on Sygnia’s findings from the investigation, the phishing mails spread in a worm-like fashion from one targeted company to others and within each targeted company’s employees,” the researchers said. “All analyzed emails contain the same structure, only differing in their title, senders’ account and company, and attached link.”

The attack starts with rogue emails claiming to contain a document shared by the sender using an online service. When the recipient clicks on the link, they are first taken to a redirection script that sends them to a phishing page hosted on what appears to be a legitimate but compromised website registered to an Indian tax consultancy. In the attack reported by Microsoft, for this stage, the attackers abused a legitimate online graphics generation platform to host their first landing page, which masqueraded as a OneDrive page.

The redirect script in the Sygnia attack is an interesting addition, because it first takes browsers through a domain hosted on Cloudflare that presents an “I’m not a robot” CAPTCHA verification. This was likely added to prevent email security solutions and other URL scanners from automatically following the link to the phishing page, because they would be blocked by Cloudflare’s robot verification script.

Real users are eventually taken to a fake Microsoft sign-in page generated by a phishing kit and hosted on a domain that has been associated with phishing activity in the past and whose registration information was last updated in June 2022. The phishing kit acts as a proxy between the fake page displayed to the user and the real Microsoft authentication page to forward the MFA request, complete the authentication, and record the session cookie issued by Microsoft’s website, which the attackers can then abuse to access the account. The attackers then access the account using a VPN service and register a new MFA device on the account to be able to easily login in the future using the captured credentials.

The following step was similar to the one observed by Microsoft: The attackers crafted new phishing emails using information from the victim’s address book and launched a new campaign against their contacts. However, the Sygnia researchers observed that the domain hosting the new phishing page was also changed to what was likely another legitimate but compromised site. This shows how compromised sites, even if they don’t host any sensitive data or receive a lot of traffic, are still valuable commodities for attackers because they’re often used as temporary infrastructure.

The researchers used the hash of an unique-looking image from the phishing page and searched for it in other scanning services and found over 500 unique URLs that followed the same structure hosted on a variety of other websites. It also helps that for every new phishing round the attackers hosted the landing page in a directory named after the targeted company. This helped determine the extent of this campaign, which appears to go back at least one year and is still active.

The FormBook infostealer

he Sygnia researchers also collected historical telemetry data for an IP address the attackers were using in their campaign and found around 170 domains and subdomains hosted on it that they believe are part of the threat actor’s infrastructure. The VirusTotal service lists over 100 malicious files hosted on those domains or communicating with them and some of those files are related to a family of infostealer malware called FormBook.

FormBook, also known as xLoader, is a spyware program that has been around since 2016 and can steal credentials and other data stored in over 90 applications including browsers, email clients, messaging apps, file management tools, and FTP clients. The program, which has variants for both Windows and macOS, can also record keystrokes and grab data entered into web forms. It’s not clear if FormBook was used at later stages in relation with this BEC campaign or is part of other malicious activities of the same threat actor.

With MFA becoming widely adopted and the default setting for many online accounts, it’s normal for attackers to develop ways of bypassing it. Open-source phishing toolkits can be used in adversary-in-the-middle attacks to capture MFA codes. However, not all MFA methods are susceptible to such attacks. Implementations that rely on client-side certificates or that use physical USB keys compatible with the FIDO2 protocol are safe against AitM attacks because they use cryptographic verification to ensure they talk to the correct website in a secure manner.