Towards the end of October and ongoing ever since I have been responding to a sustained spear phishing campaign. Recipients have been particularly susceptible to this campaign as it has involved the use of business email compromises (BEC) which means the phishing messages have been coming from an email address a person has already had trusted communications with.
Microsoft Threat Intelligence have a great write up on the attack here: https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign. This greatly reduces the size of this post π
The Email
Although the campaign has been experiences in all states, Threat adversaries have been targeting particular industries within my state. It would appear that once an email account is compromised, an email will be sent to all contacts of that account with the following details:
From: <[email protected]>
To: <Victim Email>
Subject: FWD: FWD- <Compromised Company> PTY LTD <DAY> <MON> <YEAR>
The body of the email is usually a template made to appear as if a file is being shared. Clicking on the link will take you to the compromised account’s OneDrive where a HTMLPhisher page is set up.
Fast Attack
One of the notable things about this campaign has been the speed in which the adversaries attempt to use credentials once compromised. Authentication logs show anomalous login attempts within minutes of credential compromise.
One common trait in all the attempts is that the threat adversaries employ the use of proxy anonymisers when attempting to log in.
What all the login attempts had in common were they were originating from FroxyProxy endpoints, an Estonian based proxy service used by other white-labeled services.
Impact
Over the last month, I’ve handled some 25 phishing campaigns, which is up on the usual half a dozen or so. They aren’t every day and usually see 2-3 in a day during business hours. At a guess I have remediated around 500 mailboxes to date.