Attackers using a novel credential phishing attack that leverages Active Directory to verify a victim’s password and gain access to an Office 365 account targeted a top financial person in a division of a large American corporation.
Once inside a victim’s account, bad actors could access sensitive financial documents, emails, calendar items and contact lists, according to an Armorblox blog post that detailed the attack.
The multifaceted attack customized a Malay language toolkit to attack an executive based in the Southwestern U.S. using a domain registered in Singapore that’s hosted in the northwest U.S. by a hosting company based out of India, said Prashanth Arun, head of data science at Armorblox.
“This was a targeted attack, specifically financial in nature,” Arun said. “While enabling MFA would have made the attack harder, the attackers could still have beat MFA by intercepting an OTP or authentication code and completing the transaction.”
The victim received a phishing email attachment late in the day on a Friday afternoon with a subject header that said “ACH Debit report.” When the victim clicked on the email, the attachment launched a browser that displayed a lookalike Office 365 page. If the wrong words were typed in, the attacker would have victim try again until he entered the right password.
“If after two tries the attack didn’t succeed, the attackers would redirect the victim to the real Office 365 page and go on to the next victim,” Arun said “In the past, if the victim typed in the wrong password, the attacker would have captured the faulty password and tried to sell it on the dark web.”
Other significant aspects of this attack: By sending the email from Amazon’s Simple Email Service, the attackers could bypass DKIM and SPF checks so the email did not wind up in the victim’s spam email inbox. In addition, once they discovered that the domain used in the victim’s public address email (acmecorp.com) was different from the domain name (acmecompany.com) used for the victim’s Active Directory login, they could leverage Office 365 APIs to authenticate in real-time.
“In this scenario, attackers can ascertain real-time Active Directory authentication instead of manually checking every submitted credential,” said Kacey Clark, a threat researcher at Digital Shadows. “More specifically, the attack-flow splits, and users are redirected differently depending on whether their credentials are legitimate and authenticated. With more and more organizations moving to Azure Active Directory, this is likely an increasingly useful attacker technique.”
The real- time check against AD is a new technique that attackers have added to their arsenal, said Vinay Pidathala, director of security research at Menlo Security. “With the entire enterprise infrastructure moving to a more cloud and API-driven architecture, it's natural for the attackers to also use similar techniques to ensure that their attacks are successful,” Pidathala said.