Security News > 2022 > January > Microsoft warns of multi-stage phishing campaign leveraging Azure AD
Microsoft's threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target's network and use them to distribute phishing emails.
"The inbox rule allowed the attackers to avoid arousing the compromised users' suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user."
Registering on Azure AD. The actors attempted rogue device registration onto the organization's Azure AD instance, hoping to enforce policies that would facilitate lateral phishing.
Azure AD triggers an activity timestamp when a device attempts to authenticate, which was the second chance for defenders to discover potentially suspicious registrations.
The second wave of phishing messages was much more voluminous than the first, counting over 8,500 SharePoint-themed emails with a "Payment.pdf" attachment.
Azure AD enrollment requires MFA. Zero trust policies are employed in all parts of the organization's network.
News URL
Related news
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft creates fake Azure tenants to pull phishers into honeypots (source)
- Microsoft warns Azure Virtual Desktop users of black screen issues (source)
- Microsoft disrupts ONNX phishing-as-a-service infrastructure (source)