Mitiga uncovered an advanced business email compromise (BEC) campaign that targets executives via Office 365, combining high-end spear-phishing with adversary-in-the-middle (AiTM) techniques to bypass MFA and achieve persistence. Attackers monitor significant transactions and push fraudulent emails to change destination bank accounts, enabling multi-million-dollar fraud, often targeting CEOs and CFOs.
#Mitiga #BEC #Office365 #AiTM #DocuSign #Foobar #FoobarLegal #Lointree
#Mitiga #BEC #Office365 #AiTM #DocuSign #Foobar #FoobarLegal #Lointree
Keypoints
- Targeted executives are lured with well-crafted phishing that impersonates DocuSign and leverages an AiTM setup to bypass MFA.
- attackers gain persistent access by exploiting a Microsoft 365 MFA design flaw to add a new Authenticator device.
- The fraud centers on altering the destination bank account details for a high-value transaction.
- The attack uses forged domains (Foobar/F00bar) and a “Reply All” thread to appear authentic to all recipients.
- Initial access leads to reconnaissance in Office 365 (Outlook and SharePoint) to gather transaction-specific data.
- The compromise was detected and contained by inspecting unusual logins and revoking sessions, with IOCs including IPs, domains, and a phish sender.
MITRE Techniques
- [T1566] Spearphishing Link – The victim receives a well-crafted phishing email, appearing from DocuSign, with a legitimate docusign.net from address. “Victim receives a well-crafted phishing email, appearing from DocuSign, with a legitimate docusign.net from address. This was crafted specifically for an individual executive in the organization and is part of an existing phishing campaign targeting executives using Office 365.”
- [T1539] Steal Web Session Cookie – The adversary intercepts MFA and uses the stolen session cookie to assume the victim’s session. “The victim is prompted with a genuine MFA request on their MFA device. After approving the request, the Microsoft server returns a valid session cookie, which the adversary sniffs and can then use to assume the victim’s session.”
- [T1078] Valid Accounts – The compromise involved an executive’s account being used from unusual locations, indicating use of a compromised account. “The compromised account belonged to one of the executives of Foobar… identifying logins by that executive’s account from several suspicious IP addresses.”
- [T1556] Modify Authentication – The attacker uses a Microsoft 365 MFA design flaw to add a new Authenticator app for the compromised user, enabling persistent access. “Attacker uses a design flaw in M365 MFA to create a new Authenticator app for the compromised user… This circumvents various potential security controls… It also allows the attacker to transfer the credentials.”
- [T1083] File and Directory Discovery – The attacker identifies transaction-related correspondence and accesses files (contracts, financial details). “Attacker identifies correspondence related to an upcoming transaction and continues collecting information by accessing files related to said transaction(contracts, financial details, and so on).”
Indicators of Compromise
- [IP Address] context – 139.99.6.158 (Singapore), 154.6.17.158 (New York), 5.31.10.180 (Dubai), 20.245.118.47 (San Jose) – four IPs linked to different stages of the operation
- [Domain] context – awin1.com (Phishing Infra), lointree.com (Phishing Infra), noxdirect.web.app (Phishing Infra), dsena3.web.app (Phishing Infra), dxdirect.web.app (Phishing Infra), accounts.lointree.com (phishing/login infrastructure)
- [Email] context – [email protected] — Phish Sender used in the spoofed DocuSign email
Read more: https://www.mitiga.io/blog/advanced-bec-scam-campaign-targeting-executives-on-o365