Case Study: cracking a global Adversary-In-The-Middle campaign using a threat intelligence toolkit – Sygnia

MITRE Techniques

• [T1566.002] Spearphishing Link – A phishing email leading to a fraudulent Office365 authentication page and an AiTM flow that steals credentials. Quote: ‘A phishing email was sent to one of the client’s employees, originating from a legitimate mailbox of an external company, assumed to be previously compromised.’
• [T1134] Access Token – AiTM forwarded authentication and MFA challenges to Microsoft while stealing the session token to enable access. Quote: ‘…forwarding the client authentication and MFA challenge to a legitimate Microsoft authentication service while stealing the acquired session token as well as the credentials to enable access to the account.’
• [T1078] Valid Accounts – Use of stolen tokens and manipulation to persist in the compromised Azure account. Quote: ‘logged into the victim’s account using the stolen token and added a new MFA device to gain persistent access.’
• [T1566.003] Spearphishing via Service – The attacker used the compromised account to send additional phishing emails to dozens of recipients. Quote: ‘the threat actor used this access to send new phishing emails containing the new malicious link to dozens of the client’s employees as well as to additional targeted organizations.’
• [T1036] Masquerading – Anti-forensic/anti-analysis steps, including a Cloudflare-driven “I’m not a robot” wall to hinder scraping and analysis. Quote: ‘an anti-forensic method which prevents tools such as urlscan.io, VirusTotal and other similar engines from scraping the site…’
• [T1583.001] Domain Registration – Infrastructure built around registrant data and domain registrations (e.g., Stew Jeanne) used for phishing hosting. Quote: ‘Current WHOIS record shows it was updated… and registered under NAMECHEAP INC with privacy restrictions’