Microsoft has discovered a new wave of multi-stage phishing attacks, with multi-factor authentication becoming a key defense for organizations
Microsoft has revealed that it recently discovered sophisticated phishing campaigns in which attackers add their own devices to corporate networks to carry out further dissemination activities.Compared to traditional phishing tactics, this multi-stage mass phishing attack uses newer technology. Microsoft notes that once an organization has not activated multi-factor authentication, attackers can simply steal credentials and register their own devices (BYOD).The first phase of the phishing campaign focused on stealing organizational credentials from countries as far afield as Australia, Singapore, Indonesia and Thailand, while the second wave used the stolen credentials to extend its foothold by sending internal phishing messages and even sending external emails.In this case, device registrations were used in further phishing attacks, and Microsoft has observed device registrations used in other cases as well.Multi-factor authentication can effectively prevent an attacker from accessing an organization’s device or network after stealing credentials. However, in an organization where multi-factor authentication is not activated, the attack can be carried out in the organization’s network without hindrance.”Phishing is still the primary means of gaining initial access to an enterprise Intranet,” Microsoft said. “This latest wave of phishing attacks represents improvements in the visibility and protection of managed devices, forcing attackers to explore alternative approaches.”The increase in the number of employees working from home has expanded the potential attack surface and changed the boundaries between internal and external networks.Attackers deploy a variety of strategies to target mixed work, human error, shadow IT, or unmanaged applications, services, devices, and other infrastructure that operates outside standard policies.Microsoft says these unmanaged devices are vulnerable to being missed by security teams when they are added, making them easy targets for exploitation.The most worrying aspect of this case, Microsoft researchers say, is that the attacker not only managed to connect to the device, but also had full control over it.Microsoft open the latest phishing attacks, the attackers attack in the first phase, the email address of the invasion of multiple organizations, by instance inbox mailbox rule to escape detection, and in the second stage, in view of the lack of examples of multifactor authentication protocol organization, registered the attacker’s unmanaged device, sending transverse, internal and outbound spam,Spread malicious information further.The attack shows that when credentials are stolen and zero-trust policies are not in place, an attacker’s unmanaged devices can become part of an organization’s network.