Phishers use custom phishing kit to hijack MFA-protected enterprise Microsoft accounts

An ongoing, large-scale phishing campaign is targeting owners of business email accounts at companies in the FinTech, Lending, Insurance, Energy and Manufacturing sectors in the US, UK, New Zealand and Australia, Zscaler researchers are warning.

The attackers are using a variety of tecniques and tactics to evade corporate email security solutions and a custom phishing kit that allows them to bypass multi-factor authentication (MFA) protection to hijack enterprise Microsoft accounts.

Post compromise, the attackers have been spotted logging into a compromised account to read emails and check the user’s profile information.

An active credential-stealing phishing campaign

According to the researchers, the threat actor behing the campaign is using various cloaking and browser fingerprinting techniques to bypass automated URL analysis systems, and diverse URL redirection methods to evade corporate email URL analysis solutions

The attackers are using online code editing services such as CodeSandbox and Glitch and Open Redirect pages hosted by Google Ads and Snapchat to host redirection URL code.

“It has been observed that in the midst of a campaign, attackers will modify the code of a redirect page and update a phishing site’s URL that has been flagged as malicious, to a fresh undetected URL,” they said.

Because of some unique attributes – HTML parsing, lack of domain traslation – the researchers believe that the attackers are using a custom adversary-in-the-middle (AiTM) phishing kit to phish the targets’ second authentication factor as well as their email credentials.

What should potential targets be on the lookout for?

The campaign has apparently picked up pace in June 2022, and the lures – sent via email – include requests to confirm payments, download documents shared via SharePoint, and reset (or set expired) passwords.

“Some of the attacker-registered domains were typosquatted versions of legit Federal Credit Unions in the US,” the researchers noted. They tied those to emails originating from the email addresses of the chief executives of the respective Federal Credit Union organizations.

“This indicates that the threat actor might have compromised the corporate emails of chief executives of these organizations using this phishing attack and later used these compromised business emails to send further phishing emails as part of the same campaign.”

Other phishing pages were parked on domains using keywords related to password resetting (e.g., emailaccess-passwordnotice[.]com), and other stills on completely random domains.

“As an extra precaution, users should not open attachments or click on links in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials,” the researchers advised.

To help enterprise defenders, Zscaler has compiled and will be updating a list of IOCs they can use for blocking.