Organizations in the energy sector are being targeted with phishing emails aimed at compromising enterprise accounts, Microsoft warns.
The attack campaign
The attacks started with phishing emails with “NEW PROPOSAL – NDA” in the subject line, coming from a compromised email address belonging to a trusted organization.
The subject line and the SharePoint link URL included in the email are unlikely to raise suspicion with users, and will often dodge traditional email‑centric detection mechanisms.
Users who click on the link are redirected to a fake login page that allows attackers to collect and forward the entered login credentials to the legitimate login page, and intercept and steal the cookie for that authenticated session.
The phishing page (Source: Microsoft)
With that session cookie, they sign in with another IP address (178.130.46.8 or 193.36.221.10) and create an Inbox rule that will delete all incoming emails on the user’s mailbox and mark all the emails as read.
Thus, the stage is set for a new large-scale phishing campaign: the attackers send out hundreds of emails with another phishing URL to compromised user’s contacts.
The attackers delete the undelivered and out-of-office responses from the Archive folder, and respond to those recipients who questioned whether the email was legitimate, likely to convince them that it was. Those emails and responses are then deleted from the mailbox.
The recipients who click on the malicious URL are targeted with an AiTM attack.
Remediation and prevention
“This attack demonstrates the operational complexity of AiTM campaigns and the need for remediation beyond standard identity compromise responses,” Microsoft researchers noted.
“Password resets alone are insufficient. Impacted organizations in the energy sector must additionally revoke active session cookies and remove attacker-created inbox rules used to evade detection.”
They must also verify that the attackers haven’t added a new multi-factor authentication (MFA) policy that would allow them to sign in with a one-time password sent to their mobile number.
“While AiTM phishing attempts to circumvent MFA, implementation of MFA still remains an essential pillar in identity security and highly effective at stopping a wide variety of threats. MFA is the reason that threat actors developed the AiTM session cookie theft technique in the first place,” the researchers pointed out.
While any type of MFA will add to the security of an account, phishing and AitM-resistant authentication and MFA options such as FIDO2 security keys, passkeys (i.e., FIDO2 authentication without a separate hardware key), and certificate-based authentication are preferred.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!