A complex, adversary-in-the-middle BEC campaign
By Tim Nodar, CyberWire senior staff writer
Jun 13, 2023

A multi-stage business email compromise campaign targets financial services.

A complex, adversary-in-the-middle BEC campaign

Microsoft last week described a sophisticated phishing campaign that targeted several financial organizations. 

Multi-stage phishing.

“Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations,” the researchers write. “The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations. This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud.”

The attackers used indirect proxies in order to create targeted phishing pages.

“While the attack achieved the end goal of a typical AiTM phishing attack followed by business email compromise, notable aspects, such as the use of indirect proxy rather than the typical reverse proxy techniques, exemplify the continuous evolution of these threats,” the researchers write. “The use of indirect proxy in this campaign provided attackers control and flexibility in tailoring the phishing pages to their targets and further their goal of session cookie theft. After signing in with the stolen cookie through a session replay attack, the threat actors leveraged multifactor authentication (MFA) policies that have not been configured using security best practices in order to update MFA methods without an MFA challenge. A second-stage phishing campaign followed, with more than 16,000 emails sent to the target’s contacts.”

Contacting the victims’ contacts.

After compromising the initial account, the threat actors used the access to launch targeted attacks against the people who had recently communicated with the victim.

“The emails were sent to the compromised user’s contacts, both within and outside of the organization, as well as distribution lists,” the researchers write. “The recipients were identified based on the recent email threads in the compromised user’s inbox. The subject of the emails contained a unique seven-digit code, possibly a tactic by the attacker to keep track of the organizations and email chains.”

Dror Liwer, co-founder of cybersecurity company Coro, sees the point of the complexity as the prospect of evading detection by many legacy security tools. “Attackers are getting much more sophisticated with the express objective of circumventing siloed cybersecurity defenses. This is a great example of a cross-domain attack that traditional cybersecurity tools will have difficulty catching,” he writes. “As the market is moving into consolidated platforms that provide cross-domain security on the one hand, and anomaly-based detection on the other, we should see better detection rates. The challenge is convincing security professionals to adopt unified platforms when specific threat based tools were the norm for the last 25 years.”

Techniques enable criminals to approach and ensnare more victims.

The campaign is designed to pivot from an initial victim to that victim’s contacts. This lends subsequent phishing operations an initial plausibility that may get the attaker over the first hurdles. Erich Kron, security awareness advocate at KnowBe4, explains:

“This is a clever attack using a couple of common attack methods together to create a better chance of success and potentially more victims. Fake login websites that can capture login credentials and MFA codes are often used by cybercriminals and can be created using free and easy to use software. They are even included with many PhaaS (Phishing-as-a-Service) subscriptions and can clone many different types of login pages with a few clicks of a mouse. By using these tools, bad actors can then take over email accounts and use the common tricks of the trade to perpetuate anything from invoice fraud to data theft and can even use the accounts to attempt to get users to give up other internally used passwords through phishing attacks. When phishing attacks come from an internal email address and a compromised real account, the level of trust in those emails is increased, making it much easier for attackers to trick employees.

“To guard against these types of attacks, employees should be educated on how to spot fake login pages and spoofed URLs, and should be cautious with any email, from an internal or external account, asking to provide sensitive information or payments. Periodic testing of employees through simulated social engineering attacks can help employees improve their ability to spot them and can get them in the habit of watching out for them.”