CL-CRI-1116 campaigns combine SSO-style phishing pages with antidetect browsers and residential proxies to harvest credentials. Attackers use vishing from spoofed VoIP/CNAM to capture credentials and TOTPs, bypass MFA, abuse Microsoft Graph API and SaaS search to collect sensitive files, exfiltrate data via APIs or file-sharing services, and pressure victims with seven-figure ransom demands and SWATting. #CL-CRI-1116 #MicrosoftGraphAPI
Keypoints
- Phishing pages impersonate corporate SSO sites while using antidetect browsers and residential proxies to evade detection.
- Initial access is achieved through vishing from spoofed VoIP numbers or CNAM, tricking users into submitting credentials and TOTPs.
- Attackers bypass MFA by registering attacker-controlled devices and move laterally to compromise high-privileged executive accounts.
- They abuse Microsoft Graph API permissions (Sites.Read.All) and SaaS search (e.g., Salesforce) to locate files containing terms like βconfidentialβ or βSSN.β
- Data is exfiltrated via browser/API exports and staged on services like LimeWire or MEGA, followed by seven-figure ransom demands and SWATting threats.