U.S.-, U.K.-, Australia-, and New Zealand-based fintech, insurance, accounting, lending, and Federal Credit Union organizations using Microsoft email services are being targeted by an ongoing extensive phishing campaign leveraging a custom proxy-based phishing kit for multi-factor authentication evasion and credential compromise, BleepingComputer reports.
Business email compromise attacks are seemingly the goal of threat actors behind the campaign, which was initially discovered in June, with payments being redirected to attacker-controlled accounts, according to a report from Zscaler's ThreatLabz researchers. Attackers were found to register typo-squatted versions of U.S. Federal Credit Union domains, as well as leverage sites with domain names pertaining to password reset lures.
Moreover, phishing messages contained links to emails that redirect to phishing pages, with the redirections facilitated by legitimate web resources that bypass security checks.
Threat actors have also been leveraging the Muraena, Modilshka, and Evilginx2 tools to evade MFA and enable adversary in the middle attacks.
While AeroBlade’s techniques are more sophisticated in many ways, security pros say the initial attack vector was a common spearphishing attack – something U.S. companies must do a better job protecting against.