Microsoft 365 Defender Threat Intelligence Team in a technical reported that , The attacks occurred in two stages. “The first campaign phase involved stealing credentials in target organisations primarily located in Australia, Singapore, Indonesia, and Thailand.
The second stage was successful against victims who did not use MFA , an important pillar of identity security. Without additional safeguards such as MFA, the attack exploits the concept of BYOD by allowing a device to be registered using freshly stolen credentials.
Microsoft gave details of a large-scale, multi-phase phishing campaign in which stolen credentials are used to register devices on a user’s network in order to further propagate spam emails and broaden the infection pool.
The campaign began with users receiving a DocuSign-branded phishing lure containing a link that, when clicked, redirected the recipient to a rogue website impersonating the Office 365 login page in order to steal their credentials.
The theft of credentials not only resulted in the compromise of over 100 mailboxes across various companies, but it also allowed the attackers to implement an inbox rule to avoid detection. Then, a second attack wave exploited the lack of MFA protections to enrol an unmanaged Windows device in the company’s Azure Active Directory (AD) instance and spread the malicious messages.
Earlier this month, Netskope Threat Labs discovered a malicious campaign attributed to the OceanLotus group that avoided signature-based detections by deploying information-stealing malware through non-standard file types such as web archive file (.MHT) attachments.
In addition to enabling MFA, best practises such as good credential hygiene and network segmentation can “increase the ‘cost’ to attackers attempting to propagate through the network.”
Finally the researchers concluded that ,” These best practises can limit an attacker’s ability to move laterally and compromise assets after initial intrusion and should be supplemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components.”