IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft 365 business users targeted with new DocuSign phishing scam

Threat actors are using fake login forms to trick users into changing their payment details

A smartphone with the Microsoft 365 logo displayed, held in front of a blurred Microsoft banner

A new business email compromise (BEC) campaign has been targeting Microsoft 365 organizations in a bid to hack corporate executives’ accounts and maliciously divert business payments.

Researchers from cyber security firm Mitiga found that the hackers are leveraging inherent weaknesses in 365’s multi-factor authentication (MFA), Microsoft Authenticator, as well as Microsoft 365 Identity Protection.

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

The attacks combine spear-phishing tactics with man-in-the-middle methods to compromise email accounts. The attackers essentially hijack business transactions by sending an email from the account to its intended recipient with a request to change the receiving bank account, according to Mitiga research.

These emails trick the recipient into believing that the usual payment account has been frozen and convincing them to use alternative accounts belonging the threat actor.

The attacker will also hijack email chains with forged 'typosquatting' domains that appear genuine at first glance due to stealthy character changes.

Mitiga’s researchers discovered the campaign when investigating a failed attack, which indicated that the attacker had access to sensitive information only obtainable by compromising a user’s account.

Spoofed DocuSign login page

As part of its investigation, the firm discovered unauthorized access to an executive’s 365 account from multiple locations, including Singapore, Dubai, and San Jose, California.

The compromise leveraged a man-in-the-middle phishing technique for initial access to the account and mailbox. The initial email was created to mimic a request from DocuSign, accurately imitating the layout of the popular electronic business agreements management platform with a spoofed address.

Although that does not pass DMARC checks, a misconfiguration in the client environment used to minimise spam alerts from DocuSign meant the email was not blocked and appeared as legitimate in the executive’s email inbox, the firm said.

Upon clicking the “Review Document”, the victim would then have been prompted to enter their Microsoft Azure login details into a malicious domain. As part of these tactics, the threat actor uses a phishing framework such as evilginx2 proxy that acts as a middle agent between the spoofed login page and the real one.

As the victim enters their details, the session cookie is snatched by the attacker and used to assume the user’s session, without needing to re-enter a password or approve an MFA request. The victim is then directed to a generic DocuSign error page.

Nullifying multi-factor authentication

Compounding the breach further, however, was the fact that the attacker was then free to set up a second authenticator app for the user without their knowledge, which essentially enables persistent access to the account after the session expires or is revoked.

“This gave the attackers full persistency of the breached account and effectively nullified the value of MFA,” Mitiga said.

In the incident investigated, the security firm said attackers accessed Exchange and SharePoint, but had not yet picked their moment to take action from the inbox.

Concluding its findings, Mitiga said that, although preventing these types of attacks is difficult, containing and limiting them should be relatively straightforward by requiring an MFA challenge for security related activities. However, Microsoft currently does not offer this.

“Given the accelerated growth of [these] attacks (even without the persistency allowed by an attacker adding a new, compromised, authentication method), it is clear that we can no longer rely on multi-factor authentication as our main line of defense against identity attacks,” it said.

“We strongly recommend setting up another layer of defense, in the form of a third factor, tied to a physical device or to the employee’s authorized laptop and phone.”

The firm added: “Microsoft 365 offers this as part of Conditional Access by adding a requirement to authenticate via an enrolled and compliant device only, which would completely prevent [these] attacks.”

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Q&A: Fred Voccola, Kaseya
channel

Q&A: Fred Voccola, Kaseya

30 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022