Security News > 2022 > January > Microsoft warns of multi-stage phishing campaign leveraging Azure AD
Microsoft's threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target's network and use them to distribute phishing emails.
"The inbox rule allowed the attackers to avoid arousing the compromised users' suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user."
Registering on Azure AD. The actors attempted rogue device registration onto the organization's Azure AD instance, hoping to enforce policies that would facilitate lateral phishing.
Azure AD triggers an activity timestamp when a device attempts to authenticate, which was the second chance for defenders to discover potentially suspicious registrations.
The second wave of phishing messages was much more voluminous than the first, counting over 8,500 SharePoint-themed emails with a "Payment.pdf" attachment.
Azure AD enrollment requires MFA. Zero trust policies are employed in all parts of the organization's network.
News URL
Related news
- HubSpot phishing targets 20,000 Microsoft Azure accounts (source)
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- New Rockstar 2FA phishing service targets Microsoft 365 accounts (source)
- New FlowerStorm Microsoft phishing service fills void left by Rockstar2FA (source)
- Criminal IP: Bringing Real-Time Phishing Detection to Microsoft Outlook (source)
- Microsoft Sues Hacking Group Exploiting Azure AI for Harmful Content Creation (source)
- Azure, Microsoft 365 MFA outage locks out users across regions (source)
- New 'Sneaky 2FA' Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)