Microsoft has revealed the details of a large-scale, multi-phase phishing effort that leverages stolen credentials to register devices on a victim’s network, allowing spam emails to spread further and the infection pool to grow.
The attacks were carried out using accounts that were not secured with multi-factor authentication (MFA), allowing the adversary to take advantage of the target’s bring-your-own-device (BYOD) policy and introduce their own rogue devices using the stolen credentials, according to the tech giant.
They were carried out in two parts. At a technical study released last week, the Microsoft 365 Defender Threat Intelligence Team stated, the first campaign phase targeted stealing credentials in target firms located mostly in Australia, Singapore, Indonesia, and Thailand.
In the second step, attackers utilised stolen credentials to expand their foothold within the business via lateral phishing and beyond the network via outbound spam using compromised accounts.
Connecting a compromised device to the network, of course, enables criminals to spread the attack discretely and move laterally throughout the targeted network.
While device registration was utilised for future phishing attempts in this case, other use cases have been detected, therefore leveraging device registration is on the rise.
Furthermore, the immediate availability of pen-testing tools, which are designed to make this approach easier to use, will further increase the tactic’s use among other actors in the future.
This campaign highlights how attackers have had to look for new ways to get around the constant strengthening of visibility and safeguards on controlled devices.
Unfortunately, as the number of workers who work from home grows, the line between internal and external business networks softens, increasing the attack surface.
Malicious third parties use a variety of strategies to attack hybrid work, human error, and shadow IT, or unmanaged apps, services, devices, and other infrastructure that operate outside of regular policies.
It’s easy for security teams to overlook these unmanaged devices, making them lucrative targets for compromising, silently undertaking lateral moves, leaping network boundaries, and obtaining persistence in order to launch bigger attacks.
When attackers successfully connect a device that they fully control and operate, Microsoft security experts are more concerned.
Organisations require systems that transmit and correlate threat data from email, identities, the cloud, and endpoints in order to stay safe and avoid becoming victims of more sophisticated assaults.
Microsoft 365 Defender coordinates security across these domains, automatically detecting connections between signals to give a holistic defence, which is how Microsoft discovered this campaign.
Consider implementing the zero-trust concept in your systems if you haven’t already. It can, at best, enhance your security posture and safeguard your critical data. In the end, it’s about giving your employees, users, and customers the peace of mind they require.