This phishing attack uses an unusual trick to spread further

Attackers enroll Outlook on BYO devices with Azure AD and then spread SharePoint PDF lures.
Written by Liam Tung, Contributing Writer

Microsoft has raised an alarm about a new multi-phase phishing campaign that first enrolls an attacker's BYOD device on a corporate network and then begins sending thousands of convincing phishing emails to further targets. 

The purpose of enrolling or registering a device on a target company's network was to avoid detection during later phishing attacks, according to Microsoft.   

Microsoft says "most" organizations that had enabled multi-factor authentication (MFA) for Office 365 were not impacted by phishing emails spread by attacker-controlled registered devices, but those that had not enabled MFA were all affected. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

The attack exploited instances where MFA was not enforced during the process of registering a new device with a company's instance of Microsoft's identity service, Azure Active Directory (Azure AD); or when enrolling a BYOD device to a mobile device management (MDM) platform like Microosft's Intune.

"While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack's propagation heavily relied on a lack of MFA protocols," Microsoft said

"Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain," it added. 

The first wave of the attack targeted organizations in Australia, Singapore, Indonesia, and Thailand, according to Microsoft. "Hundreds" of credentials stolen in this phase were then used in the second phase where a device was registered or enrolled, allowing for broader penetration of the target. 

The first phase relied on a DocuSign-branded phishing email requesting the recipient review and sign the document. It used phishing domains registered under the .xyz top level domain (TLD). Each email's phishing link was also uniquely generated and contained the target's name in the URL. The phishing link directed victims to a spoofed Office 365 login page. 

The attackers used stolen credentials to set up a connection with Exchange Online PowerShell and used this to create inbox rules that deleted messages based on keywords in the subject or body of the email, including 'junk', 'spam', 'phishing', 'hacked', 'password', and 'with you'. This was likely to to avoid detection.  

In the second phase, the attackers installed Microsoft's Outlook email client on to their own Windows 10 PC, which was then successfully connected to the victim's Azure AD. All the attackers had to do was accept Outlook's onboarding experience that prompts the user to register a device. In this case, the attackers were using credentials acquired in phase one. 

"An Azure AD MFA policy would have halted the attack chain at this stage," Microsoft notes. 

Azure AD does have tools to mitigate these threats by time-stamping and logging new device registrations. 

But with compromised credentials and a registered Windows 10 device with Outlook, the attackers could then launch the second phase, which involved sending "lateral, internal, and outbound" phishing messages to over 8,500 other email accounts. These messages used a SharePoint invitation to view a "Payment.pdf" file.  

"By using a device now recognized as part of the domain coupled with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers. By removing enough of these suspicious message elements, the attacker thereby significantly expanded the success of the phishing campaign."      

Accounts where victims clicked the link in the second wave were similarly subjected to automated rules that deleted emails containing the same keywords used in the first wave.

SEE: This mysterious malware could threaten millions of routers and IoT devices

Microsoft offers directions to security teams that can revoke active sessions and tokens of compromised accounts, delete unwanted mailbox rules, and disable rogue devices registered with Azure AD.

Notably, Microsoft says organizations can reduce their attack surface by disabling "basic authentication", and in Exchange Online and by disabling Exchange Online Powershell for end users. Admins can also enable Microsoft's new "conditional access control". 

Microsoft in February announced that, due to the pandemic, it was delaying its plan to turn off basic authentication in Exchange Online for legacy email authentication protocols, such as Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB. 

That move would eliminate instances where single factor authentication is used. Microsoft's replacement for basic authentication, dubbed Modern Authentication, enables both conditional access and MFA.    

Microsoft in September said it would "begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth", from October 1, 2022. 

Editorial standards