Security News > 2022 > January > Microsoft warns of multi-stage phishing campaign leveraging Azure AD

Microsoft's threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target's network and use them to distribute phishing emails.
"The inbox rule allowed the attackers to avoid arousing the compromised users' suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user."
Registering on Azure AD. The actors attempted rogue device registration onto the organization's Azure AD instance, hoping to enforce policies that would facilitate lateral phishing.
Azure AD triggers an activity timestamp when a device attempts to authenticate, which was the second chance for defenders to discover potentially suspicious registrations.
The second wave of phishing messages was much more voluminous than the first, counting over 8,500 SharePoint-themed emails with a "Payment.pdf" attachment.
Azure AD enrollment requires MFA. Zero trust policies are employed in all parts of the organization's network.
News URL
Related news
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Microsoft names alleged credential-snatching 'Azure Abuse Enterprise' operators (source)
- Microsoft Exposes LLMjacking Cybercriminals Behind Azure AI Abuse Scheme (source)
- Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails (source)
- Microsoft’s new AI agents take on phishing, patching, alert fatigue (source)
- After Detecting 30B Phishing Attempts, Microsoft Adds Even More AI to Its Security Copilot (source)