ThreatLabz analyzes a large-scale AitM phishing campaign targeting enterprise Gmail/G Suite users, showing strong overlap with a prior Microsoft email-targeted attack. The operation used multi-stage URL redirection, client-side fingerprinting, and MFA-bypass capabilities to steal credentials from executives. #AiTM #Gmail #GSuite #ThreatLabz
Keypoints
- From July 2022, the same threat actor behind Microsoft AitM phishing targeted enterprise G Suite users (Gmail/GSuite).
- The attack can bypass multi-factor authentication (MFA) protections for Gmail/G Suite accounts.
- Emails were sent to CEOs and senior executives, sometimes also to their executive assistants.
- Compromised executive emails were used to conduct additional phishing campaigns.
- Multiple compromised domains served as intermediate URL redirectors landing users on final phishing pages.
- A client-side fingerprinting script was used to evade automated URL analysis, with redirector scripts updated across campaigns.
- Threat actors reused and adapted the same redirector infrastructure from the Microsoft campaign to target Gmail/G Suite.
MITRE Techniques
- [T1566.001] Spearphishing Link – The attack vector used in this campaign was emails with the malicious link embedded in them. ‘The attack vector used in this campaign was emails with the malicious link embedded in them.’
- [T1071] Web Protocols – The attack chain leverages multiple levels of redirection and open redirect pages to land on the final attacker-controlled Gmail phishing domain. ‘This link leverages multiple levels of redirection and abuses Open Redirect pages to land the user on the final attacker-controlled Gmail phishing domain.’
- [T1059.007] JavaScript – The intermediate redirector is a JavaScript hosted on compromised domains. ‘The intermediate redirector is a JavaScript hosted on compromised domains.’
- [T1497] Virtualization/Sandbox Evasion – Client-side fingerprinting checks are used to detect automated analysis systems. ‘fingerprinting check on the client in order to make sure that a real user is browsing to the site and not an automated analysis system.’
Indicators of Compromise
- [Phishing Domains] – phishing domains observed as final landing pages for the Gmail/GSuite phishing, e.g.: example domains include *.angalosos[.]xyz, *.mdks[.]xyz, *.7brits[.]xyz, *.fekir5[.]xyz, *.bantersplid[.]xyz, *.absmg[.]xyz, *.wultimacho[.]xyz, *.gsuiteworkstation[.]com, *.thyxyzjgdrwafzy[.]xyz, *.7dmjmg20p8[.]xyz, *.appfolders[.]xyz, *.4765445b-32c6-4-83e6-1d93765276[.]co, *.aucapitalsci[.]com, *.eaganins.click, *.disturbedmidiagroup.click
- [Intermediate URL Redirectors] – note: these are compromised websites used to host redirect scripts, e.g.: *.southernlivingsavannah[.]com, *.sunnyislesdental[.]com, *.horticulturatanaka[.]com.br, ripple-hirodai[.]com, pathopowerreport[.]de, pagliaispizzakv[.]com, *.loftds[.]com, *.sabtsaeen[.]ir, *.jarrydrenton[.]com, *.alphamediaam[.]ir, *.hcapinfo[.]com, *.gamea[.]ir