Security News > 2022 > January > Microsoft warns of multi-stage phishing campaign leveraging Azure AD
Microsoft's threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target's network and use them to distribute phishing emails.
"The inbox rule allowed the attackers to avoid arousing the compromised users' suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user."
Registering on Azure AD. The actors attempted rogue device registration onto the organization's Azure AD instance, hoping to enforce policies that would facilitate lateral phishing.
Azure AD triggers an activity timestamp when a device attempts to authenticate, which was the second chance for defenders to discover potentially suspicious registrations.
The second wave of phishing messages was much more voluminous than the first, counting over 8,500 SharePoint-themed emails with a "Payment.pdf" attachment.
Azure AD enrollment requires MFA. Zero trust policies are employed in all parts of the organization's network.
News URL
Related news
- Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails (source)
- Microsoft’s new AI agents take on phishing, patching, alert fatigue (source)
- After Detecting 30B Phishing Attempts, Microsoft Adds Even More AI to Its Security Copilot (source)
- Tycoon2FA phishing kit targets Microsoft 365 with new tricks (source)
- Gamma AI Platform Abused in Phishing Chain to Spoof Microsoft SharePoint Logins (source)
- Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach (source)