{"id":105645,"date":"2022-01-26T09:00:00","date_gmt":"2022-01-26T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=105645"},"modified":"2023-06-26T15:56:55","modified_gmt":"2023-06-26T22:56:55","slug":"evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/01\/26\/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa\/","title":{"rendered":"Evolved phishing: Device registration trick adds to phishers\u2019 toolbox for victims without MFA"},"content":{"rendered":"\n
We have recently uncovered a large-scale, multi-phase campaign that adds a novel technique to traditional phishing tactics by joining an attacker-operated device to an organization\u2019s network to further propagate the campaign. We observed that the second stage of the campaign was successful against victims that did not implement multifactor authentication (MFA), an essential pillar of identity security. Without additional protective measures such as MFA, the attack takes advantage of the concept of bring-your-own-device (BYOD) via the ability to register a device using freshly stolen credentials.<\/p>\n\n\n\n
The first campaign phase involved stealing credentials in target organizations located predominantly in Australia, Singapore, Indonesia, and Thailand. Stolen credentials were then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organization via lateral phishing as well as beyond the network via outbound spam.<\/p>\n\n\n\n
Connecting an attacker-controlled device to the network allowed the attackers to covertly propagate the attack and move laterally throughout the targeted network. While in this case device registration was used for further phishing attacks, leveraging device registration is on the rise as other use cases have been observed. Moreover, the immediate availability of pen testing tools, designed to facilitate this technique, will only expand its usage across other actors in the future. <\/a><\/p>\n\n\n\n MFA, which prevents attackers from being able to use stolen credentials to gain access to devices or networks, foiled the campaign for most targets. For organizations that did not have MFA enabled, however, the attack progressed.<\/p>\n\n\n\n Phishing continues to be the most dominant means for attacking enterprises to gain initial entry. This campaign shows that the continuous improvement of visibility and protections on managed devices has forced attackers to explore alternative avenues. The potential attack surface is further broadened by the increase in employees who work-from-home which shifts the boundaries between internal and external corporate networks. Attackers deploy various tactics to target organizational issues inherent with hybrid work, human error, and \u201cshadow IT\u201d or unmanaged apps, services, devices, and other infrastructure operating outside standard policies.<\/p>\n\n\n\n These unmanaged devices are often ignored or missed by security teams at join time, making them lucrative targets for compromising, quietly performing lateral movements, jumping network boundaries, and achieving persistence for the sake of launching broader attacks. Even more concerning, as our researchers uncovered in this case, is when attackers manage to successfully connect a device that they fully operate and is in their complete control.<\/p>\n\n\n\n To fend off the increasing sophistication of attacks as exemplified by this attack, organizations need solutions that deliver and correlate threat data from email, identities, cloud, and endpoints. Microsoft 365 Defender<\/a> coordinates protection across these domains, automatically finding links between signals to provide comprehensive defense. Through this cross-domain visibility, we were able to uncover this campaign. We detected the anomalous creation of inbox rules, traced it back to an initial wave of phishing campaign, and correlated data to expose the attackers\u2019 next steps, namely device registration and the subsequent phishing campaign.<\/p>\n\n\n\n This attack shows the impact of an attacker-controlled unmanaged device that may become part of a network when credentials are stolen and Zero Trust policies are not in place. Microsoft Defender for Endpoint<\/a> provides a device discovery capability that helps organizations to find certain unmanaged devices operated by attackers whenever they start having network interactions with servers and other managed devices. Once discovered and onboarded, these devices can then be remediated and protected.<\/p>\n\n\n\n In this blog post, we share the technical aspects of a large-scale, multi-phase phishing campaign. We detail how attackers used the first attack wave to compromise multiple mailboxes throughout various organizations and implement an inbox rule to evade detection. This was then followed by a second attack wave that abused one organization\u2019s lack of MFA protocols to register the attackers\u2019 unmanaged device and propagate the malicious messages via lateral, internal, and outbound spam.<\/p>\n\n\n\n The campaign leveraged multiple components and techniques to quietly compromise accounts and propagate the attack. Using Microsoft 365 Defender threat data, we found the attack\u2019s initial compromise vector to be a phishing campaign. Our analysis found that the recipients received a DocuSign-branded phishing email, displayed below:<\/p>\n\n\n\n The attacker used a set of phishing domains registered under .xyz top-level domain. The URL domain can be described with the following regular expression syntax:<\/p>\n\n\n\n UrlDomain matches regex @\u201d^[a-z]{5}\\.ar[a-z]{4,5}\\.xyz”<\/em><\/p>\n\n\n\n The phishing link was uniquely generated for each email, with the victim\u2019s email address encoded in the query parameter of the URL. After clicking the link, the victim was redirected to a phishing website at newdoc-lnpye[.]ondigitalocean[.]app, which imitated the login page for Office 365. The fake login page was pre-filled with the targeted victim\u2019s username and prompted them to enter their password. This technique increased the likelihood that the victim viewed the website as being legitimate and trustworthy.<\/p>\n\n\n\n Next, we detected that the victim\u2019s stolen credentials were immediately used to establish a connection with Exchange Online PowerShell, most likely using an automated script as part of a phishing kit. Leveraging the Remote PowerShell connection, the attacker implemented an inbox rule via the New-InboxRule<\/em> cmdlet that deleted certain messages based on keywords in the subject or body of the email message. The inbox rule allowed the attackers to avoid arousing the compromised users\u2019 suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user.<\/p>\n\n\n\n During our investigation of the first stage of this campaign, we saw over one hundred compromised mailboxes in multiple organizations with inbox rules consistently fitting the pattern below:<\/p>\n\n\n\nFirst wave and rule creation<\/h2>\n\n\n\n