Microsoft 365 business users targeted with new DocuSign phishing scam
Threat actors are using fake login forms to trick users into changing their payment details
A new business email compromise (BEC) campaign has been targeting Microsoft 365 organizations in a bid to hack corporate executives’ accounts and maliciously divert business payments.
Researchers from cyber security firm Mitiga found that the hackers are leveraging inherent weaknesses in 365’s multi-factor authentication (MFA), Microsoft Authenticator, as well as Microsoft 365 Identity Protection.
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliencyFree Download
The attacks combine spear-phishing tactics with man-in-the-middle methods to compromise email accounts. The attackers essentially hijack business transactions by sending an email from the account to its intended recipient with a request to change the receiving bank account, according to Mitiga research.
These emails trick the recipient into believing that the usual payment account has been frozen and convincing them to use alternative accounts belonging the threat actor.
The attacker will also hijack email chains with forged 'typosquatting' domains that appear genuine at first glance due to stealthy character changes.
Mitiga’s researchers discovered the campaign when investigating a failed attack, which indicated that the attacker had access to sensitive information only obtainable by compromising a user’s account.
Spoofed DocuSign login page
As part of its investigation, the firm discovered unauthorized access to an executive’s 365 account from multiple locations, including Singapore, Dubai, and San Jose, California.
The compromise leveraged a man-in-the-middle phishing technique for initial access to the account and mailbox. The initial email was created to mimic a request from DocuSign, accurately imitating the layout of the popular electronic business agreements management platform with a spoofed address.
Although that does not pass DMARC checks, a misconfiguration in the client environment used to minimise spam alerts from DocuSign meant the email was not blocked and appeared as legitimate in the executive’s email inbox, the firm said.
Upon clicking the “Review Document”, the victim would then have been prompted to enter their Microsoft Azure login details into a malicious domain. As part of these tactics, the threat actor uses a phishing framework such as evilginx2 proxy that acts as a middle agent between the spoofed login page and the real one.
As the victim enters their details, the session cookie is snatched by the attacker and used to assume the user’s session, without needing to re-enter a password or approve an MFA request. The victim is then directed to a generic DocuSign error page.
Nullifying multi-factor authentication
Compounding the breach further, however, was the fact that the attacker was then free to set up a second authenticator app for the user without their knowledge, which essentially enables persistent access to the account after the session expires or is revoked.
“This gave the attackers full persistency of the breached account and effectively nullified the value of MFA,” Mitiga said.
In the incident investigated, the security firm said attackers accessed Exchange and SharePoint, but had not yet picked their moment to take action from the inbox.
Concluding its findings, Mitiga said that, although preventing these types of attacks is difficult, containing and limiting them should be relatively straightforward by requiring an MFA challenge for security related activities. However, Microsoft currently does not offer this.
“Given the accelerated growth of [these] attacks (even without the persistency allowed by an attacker adding a new, compromised, authentication method), it is clear that we can no longer rely on multi-factor authentication as our main line of defense against identity attacks,” it said.
“We strongly recommend setting up another layer of defense, in the form of a third factor, tied to a physical device or to the employee’s authorized laptop and phone.”
The firm added: “Microsoft 365 offers this as part of Conditional Access by adding a requirement to authenticate via an enrolled and compliant device only, which would completely prevent [these] attacks.”
2022 State of the multi-cloud report
What are the biggest multi-cloud motivations for decision-makers, and what are the leading challengesFree Download
The Total Economic Impact™ of IBM robotic process automation
Cost savings and business benefits enabled by robotic process automationFree Download
Multi-cloud data integration for data leaders
A holistic data-fabric approach to multi-cloud integrationFree Download
MLOps and trustworthy AI for data leaders
A data fabric approach to MLOps and trustworthy AIFree Download