Multi-stage adversary-in-the-middle phishing and business email compromise attacks have been launched by the Storm-1167 threat operation against banking and financial services organizations, The Hacker News reports.
Storm-1167 has achieved initial access by compromising a trusted vendor before proceeding with the use of indirect proxy to facilitate the distribution of phishing pages to targets, a report from Microsoft revealed. Phishing emails sent by the threat operation included a link that redirects targets to a fraudulent Microsoft sign-in page meant for credential and time-based one-time password exfiltration. Such stolen information is then leveraged for user impersonation efforts as part of a replay attack that seeks to obtain email inbox access.
Researchers also found that phishing email recipients have been sent another AitM attack for credential exfiltration, while prompting another phishing operation.
"This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud," said Microsoft.