Security News > 2022 > August > Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams

A new business email compromise campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle tactics to hack corporate executives' Microsoft 365 accounts, even those protected by MFA. By accessing accounts of high-ranking employees like CEOs or CFOs of large organizations, the threat actors can monitor communications and respond to emails at the right moment to divert a large transaction to their bank accounts.

The phishing emails sent in these attacks tell the target that the corporate bank account they usually send payments to has been frozen due to a financial audit, enclosing new payment instructions that switch to the account of an alleged subsidiary.

Because valid sessions can expire or be revoked, the threat actors add a new MFA device and link it to the breached Microsoft 365 account, a move that doesn't generate any alerts or require further interaction with the original account owner.

In the case seen by Mitiga, the threat actor added a mobile phone as the new authentication device, ensuring their uninterrupted access to the compromised account.

The threat actor was likely waiting for the right moment to inject their own emails to divert invoice payments to bank accounts under the attackers' control.

Windows admins can monitor for MFA changes on user accounts through the Azure Active Directory Audit Logs.

News URL

https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-monitor-microsoft-365-accounts-for-bec-scams/