Security News > 2022 > August > Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams

A new business email compromise campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle tactics to hack corporate executives' Microsoft 365 accounts, even those protected by MFA. By accessing accounts of high-ranking employees like CEOs or CFOs of large organizations, the threat actors can monitor communications and respond to emails at the right moment to divert a large transaction to their bank accounts.
The phishing emails sent in these attacks tell the target that the corporate bank account they usually send payments to has been frozen due to a financial audit, enclosing new payment instructions that switch to the account of an alleged subsidiary.
Because valid sessions can expire or be revoked, the threat actors add a new MFA device and link it to the breached Microsoft 365 account, a move that doesn't generate any alerts or require further interaction with the original account owner.
In the case seen by Mitiga, the threat actor added a mobile phone as the new authentication device, ensuring their uninterrupted access to the compromised account.
The threat actor was likely waiting for the right moment to inject their own emails to divert invoice payments to bank accounts under the attackers' control.
Windows admins can monitor for MFA changes on user accounts through the Azure Active Directory Audit Logs.
News URL
Related news
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Microsoft links recent Microsoft 365 outage to buggy update (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- New Microsoft 365 outage impacts Teams, causes call failures (source)
- Microsoft 365 apps will prompt users to back up files in OneDrive (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts (source)