Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.
Microsoft said today that it has investigated a major new phishing campaign that uses a “novel technique,” rendering the “traditional phishing remediation playbook” insufficient.
The company emphasized that the campaign was mainly successful against targets that weren’t using multifactor authentication (MFA).
Microsoft described it as a “large-scale, multiphase campaign.” The new tactic involved device registration — “joining an attacker-operated device to an organization’s network to further propagate the campaign,” the company said in a blog post.
In the first phase of the campaign, the attackers stole credentials from targeted organizations, which were located “predominantly” in Australia, Singapore, Thailand, and Indonesia, Microsoft said.
Then during the second phase, these stolen credentials were used to “expand their foothold” within the victim organization, using lateral phishing along with spam outside the network, according to Microsoft. Malicious messages were sent to more than 8,500 users as part of the second stage of the campaign.
Lack of MFA
The company said that the second stage succeeded by targeting organizations that did not have MFA, which requires additional methods of verification in order to authenticate a user.
MFA “foiled the campaign for most targets. For organizations that did not have MFA enabled, however, the attack progressed,” Microsoft said.
“While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled,” the company said. “The attack’s propagation heavily relied on a lack of MFA protocols. Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain.”
Some older Office 365 accounts do not support MFA, and are restricted to “basic authentication” — a standard username and password. Basic authentication is slated to be disabled by Microsoft, but for accounts that continue to rely on it, the risks of an attack are huge, identity platform Okta said in a report released this week.
The Okta report found that Office 365 accounts with basic authentication are 10 times more likely to be targeted by attackers than accounts with modern authentication — and that for every legitimate log-in attempt to a basic authentication account, there is an average of 53 malicious log-in attempts for the accounts.
Throw out the playbook
In terms of the device registration tactic, “connecting an attacker-controlled device to the network allowed the attackers to covertly propagate the attack and move laterally throughout the targeted network,” Microsoft said.
Device registration was utilized for additional phishing attacks, as well, according to the company.
“Leveraging device registration is on the rise as other use cases have been observed,” Microsoft said. “Moreover, the immediate availability of pen testing tools, designed to facilitate this technique, will only expand its usage across other actors in the future.”
All of which means that the “traditional phishing remediation playbook will not be sufficient here,” the company said.
“Simply resetting compromised accounts’ passwords may ensure that the user is no longer compromised, but it will not be enough to eliminate ulterior persistence mechanisms in place,” Microsoft said.
Additional steps recommended by Microsoft are: revoking active sessions along with any token that’s associated with accounts that’ve been compromised; deleting any mailbox rules that are created by the attacker; and disabling/removing any “rogue device” joined to Azure Active Directory by the attacker.
“If these additional remediation steps are not taken, the attacker could still have valuable network access even after successfully resetting the password of the compromised account. An in-depth understanding of this attack is necessary to properly mitigate and defend against this new type of threat,” Microsoft said.
Microsoft’s security focus
Along with providing some of the largest platforms and cloud services used by businesses, Microsoft is a major cybersecurity vendor in its own right with 715,000 security customers.
“We deliver advanced end-to-end cross-cloud, cross-platform security solutions, which integrate more than 50 different categories across security, compliance, identity, device management, and privacy, informed by more than 24 trillion threat signals we see each day,” Microsoft CEO Satya Nadella said Tuesday during the company’s quarterly call with analysts, according to a transcript posted by the company on its website.
Revenue for Microsoft’s security business grew 45%, surpassing $15 billion, during the past 12 months, year-over-year, Nadella said. The company’s security information and event management (SIEM) platform, Microsoft Sentinel, now has 15,000 customers, up 70% from a year ago, he disclosed.