Security News > 2022 > January > Attackers connect rogue devices to organizations’ network with stolen Office 365 credentials

Attackers are trying out a new technique to widen the reach of their phishing campaigns: by using stolen Office 365 credentials, they try to connect rogue Windows devices to the victim organizations' network by registering it with their Azure AD. If successful, they are ready to launch the second wave of the campaign, which consists of sending more phishing emails to targets outside the organization as well as within.

"The victim's stolen credentials were immediately used to establish a connection with Exchange Online PowerShell, most likely using an automated script as part of a phishing kit. Leveraging the Remote PowerShell connection, the attacker implemented an inbox rule via the New-InboxRule cmdlet that deleted certain messages based on keywords in the subject or body of the email message," the team explained.

This technique did not work in the majority of the cases, for one simple reason: users had multi-factor authentication enabled on their account, so the attackers couldn't leverage the stolen credentials in the first place.

Organizations should enable MFA for all users and require it when joining devices to Azure AD, as well as consider disabling Exchange Online Powershell for end users, the team advised.

A few days ago, Microsoft's threat intelligence analysts flagged another phishing campaign that targeted hundreds of organizations, this one an attempt to trick users into granting an app named "Upgrade" access to their Office 365 accounts.

Attackers have also been known to try and bypass Office 365 MFA via rogue apps, by stealing authorization codes / access tokens instead of their credentials.

News URL

https://www.helpnetsecurity.com/2022/01/27/rogue-devices-organizations/