TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Help Net Security

Microsoft: Phishing campaign used fake compliance notices to compromise employee accounts

Zeljka Zorz · 1 day ago · Read original ↗

ATT&CK techniques detected

8 predictions
T1566.002Spearphishing Link
97%
““ reviewed and approved for secure access. ” finally, a green banner at the foot of each email falsely indicated the contents had been encrypted using paubox, a real service associated with hipaa - compliant communications. the phishing email ( source : microsoft ) victims who op…”
T1566.002Spearphishing Link
94%
“microsoft : phishing campaign used fake compliance notices to compromise employee accounts microsoft : phishing campaign used fake compliance notices to compromise employee accounts phishers have been using fake workplace compliance notices to try to trick microsoft account owner…”
T1566.002Spearphishing Link
92%
“or the link will expire ). once clicked, the “ sign in with microsoft ” button initiated an adversary - in - the - middle ( aitm ) session. access credentials and code - based authentication factors submitted into the fake sign - in page were silently proxied to the real one, all…”
T1566.002Spearphishing Link
81%
“##stication beyond typical phishing operations, ” they added. microsoft has urged organizations to deploy multi - factor authentication methods such as fido security keys or windows hello, which are not susceptible to aitm token theft. other recommended mitigations include enabli…”
T1557.001Name Resolution Poisoning and SMB Relay
52%
“or the link will expire ). once clicked, the “ sign in with microsoft ” button initiated an adversary - in - the - middle ( aitm ) session. access credentials and code - based authentication factors submitted into the fake sign - in page were silently proxied to the real one, all…”
T1534Internal Spearphishing
49%
“microsoft : phishing campaign used fake compliance notices to compromise employee accounts microsoft : phishing campaign used fake compliance notices to compromise employee accounts phishers have been using fake workplace compliance notices to try to trick microsoft account owner…”
T1111Multi-Factor Authentication Interception
41%
“or the link will expire ). once clicked, the “ sign in with microsoft ” button initiated an adversary - in - the - middle ( aitm ) session. access credentials and code - based authentication factors submitted into the fake sign - in page were silently proxied to the real one, all…”
T1684.001Impersonation
33%
“microsoft : phishing campaign used fake compliance notices to compromise employee accounts microsoft : phishing campaign used fake compliance notices to compromise employee accounts phishers have been using fake workplace compliance notices to try to trick microsoft account owner…”

Summary

Phishers have been using fake workplace compliance notices to try to trick Microsoft account owners into signing in via a fake sign-in page, says the company’s Defender Research team. The email campaign targeted more than 35,000 users across 13,000 organizations in 26 countries, but concentrated primarily on targets in the United States. Microsoft didn’t say how many fell for the lure and had their account compromised. From inbox to account takeover The campaign, which ran … More

The post Microsoft: Phishing campaign used fake compliance notices to compromise employee accounts appeared first on Help Net Security.