Security News > 2022 > August > Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams
A new business email compromise campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle tactics to hack corporate executives' Microsoft 365 accounts, even those protected by MFA. By accessing accounts of high-ranking employees like CEOs or CFOs of large organizations, the threat actors can monitor communications and respond to emails at the right moment to divert a large transaction to their bank accounts.
The phishing emails sent in these attacks tell the target that the corporate bank account they usually send payments to has been frozen due to a financial audit, enclosing new payment instructions that switch to the account of an alleged subsidiary.
Because valid sessions can expire or be revoked, the threat actors add a new MFA device and link it to the breached Microsoft 365 account, a move that doesn't generate any alerts or require further interaction with the original account owner.
In the case seen by Mitiga, the threat actor added a mobile phone as the new authentication device, ensuring their uninterrupted access to the compromised account.
The threat actor was likely waiting for the right moment to inject their own emails to divert invoice payments to bank accounts under the attackers' control.
Windows admins can monitor for MFA changes on user accounts through the Azure Active Directory Audit Logs.
News URL
Related news
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)