Lateral Phishing Attacks on Businesses Using Device Registration Tricks

Short News:-

A multi-phase phishing campaign uses stolen credentials to register devices on a victim's network. Adversity exploited accounts that were not secured with multi-factor authentication (MFA). Lateral phishing and outbound spam was used in the second phase of the attack. Email-based social engineering attacks are still the most dominant method of attacking businesses. More than 8,500 people were infected by this second wave of attacks. The novel technique made it possible to expand the attackers' foothold, spread the attack covertly, and move laterally.

Detailed News:-

As part of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victim's network, Microsoft has revealed the details of this campaign.

In order to circumvent a company's bring-your-own-device (BYOD) policy and sneak in their own rogue devices, an adversary exploited accounts that were not secured with multi-factor authentication (MFA), according to the tech giant.

Two stages were involved in the assaults. Microsoft 365 Defender Threat Intelligence Team said in a technical report published this week that the first phase of the campaign involved stealing credentials from target organizations located primarily in Australia, Singapore, Indonesia, and Thailand.

Lateral phishing and outbound spam was used in the second phase of the attack to further the attackers' reach within the organization and beyond the network using the stolen credentials.

For those who clicked on the link in the DocuSign-branded email they were sent, they were taken to a fake Microsoft login page where their credentials were stolen.

Over 100 mailboxes from various companies were compromised as a result of the credential theft, and the attackers were able to implement an inbox rule to evade detection. Later, the second wave of attacks exploited a company's Azure Active Directory (AD) instance's lack of MFA protections to enroll an unmanaged Windows device and spread the malicious messages.

The novel technique made it possible to expand the attackers' foothold, spread the attack covertly, and move laterally throughout the targeted network by connecting the attacker-controlled device to the network.

More than 8,500 people were infected by this second wave of attacks, which were launched by exploiting a compromised mailbox belonging to a targeted user, according to Microsoft. the message body contained an invitation to share on SharePoint in an attempt to fool the recipients into thinking the 'Payment.pdf' document being shared was genuine

The development comes at a time when email-based social engineering attacks are still the most dominant method of attacking businesses in order to gain initial entry and drop malware on compromised systems. This is.

Netskope Threat Labs revealed earlier this month that the OceanLotus group was behind a malicious campaign that used non-standard file types like web archive file (.MHT) attachments to distribute information-stealing malware while evading signature-based detections.

With MFA enabled, "increase the 'cost' to attackers trying to propagate through the [network]," best practices like good credential hygiene and network segmentation can help.

In order to limit an attacker's ability to move laterally and compromise assets after an initial intrusion, these best practices should be complemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components."