fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Warns of Multi-stage Phishing Campaign Leveraging Azure AD

Microsoft Warns of Multi-stage Phishing Campaign Leveraging Azure AD

Microsoft’s threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target’s network and use them to distribute phishing emails.

As the report highlights, the attacks manifested only through accounts that didn’t have multi-factor authentication (MFA) protection, which made them easier to hijack.

The threat actor deployed the attacks in two stages, the first one designed to steal the recipient’s email credentials, luring them with DocuSign-themed emails that urged reviewing and signing a document.

Also Read: 10 Best, Secured And Trusted Disposal Contractor In Singapore

DocuSign lure sent in the first wave of the attack
DocuSign lure sent in the first wave of the attack
Source: Microsoft

The embedded links take the victim to a phishing URL that imitates the Office 365 login page and pre-fills the victim’s username for increased credibility.

A spam filter that wasn’t

Microsoft’s telemetry data indicates that the first phase of the attacks focused mainly on firms located in Australia, Singapore, Indonesia, and Thailand.

The actors attempted to compromise remote working employees, poorly protected managed service points, and other infrastructure that may operate outside strict security policies.

Microsoft’s analysts were able to spot the threat by detecting anomalous creation of inbox rules, which actors added immediately after gaining control of an inbox to keep out IT notification messages that could trigger suspicions.

“Leveraging the Remote PowerShell connection, the attacker implemented an inbox rule via the New-InboxRule cmdlet that deleted certain messages based on keywords in the subject or body of the email message,” – the report details.

Also Read: 10 Tips For Drafting Key Terms In A Service Agreement

“The inbox rule allowed the attackers to avoid arousing the compromised users’ suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user.”

The investigation that followed revealed that over a hundred mailboxes in multiple organizations had been compromised with malicious mailbox rules named “Spam Filter”.

Azure AD registration

With credentials in hand, the attackers installed Outlook on their own machine (Windows 10) and logged into the user’s email account. This action caused the attacker’s device to connect automatically to the company Azure Active Directory and register it.

This was likely due to accepting Outlook’s first launch experience by logging with the stolen credentials, Microsoft notes, adding that a MFA policy in Azure AD would not have allowed the rogue registration.

Once the attacker’s device was added to the organizations network, the threat actor proceeded to the second stage, sending emails to employees of the targeted firm and external targets such as contractors, suppliers, or partners.

Phishing attack chain
Phishing attack chain
Source: Microsoft

Since these messages come from a trusted workspace, they aren’t flagged by security solutions and carry an intrinsic element of legitimacy that boosts the actors’ chances of success.

By registering rogue devices, the threat actor likely hoped to enforce policies that would facilitate lateral phishing.

Azure AD triggers an activity timestamp when a device attempts to authenticate, which was a second opportunity for defenders to discover the suspicious registrations.

Suspicious registration event
Suspicious registration event
Source: Microsoft

If the registration goes unnoticed, the actors are allowed to send messages from a recognized and trusted part of the domain using the stolen valid credentials on Outlook.

The second wave of phishing messages was much larger than the first, counting over 8,500 SharePoint-themed emails with a “Payment.pdf” attachment.

This phishing campaign was crafty and moderately successful, but it wouldn’t be nearly as effective if the targeted companies followed one of these practices:

  • All employees had enabled MFA on their Office 365 accounts.
  • Deploy endpoint protection solutions that can detect the creation of inbox rules.
  • Azure AD device registration is closely monitored.
  • Azure AD enrollment requires MFA.
  • Zero trust policies are employed in all parts of the organization’s network.

Update [January 27, 13:43 EST]: Edited some paragraphs to clarify aspects of the campaign and how it moved from one stage to another.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us