Microsoft detects multi-stage cyber attacks on banks and financial organizations

Microsoft has identified a series of multi-stage phishing and corporate email compromise (BEC) cyber-attacks on banks and financial organizations. The attacks were carried out through a compromised trusted provider and followed up with multiple compromise attacks involving multiple organizations. The hacker group, called Storm-1167, used an indirect proxy that allowed them to customize phishing pages based on targets. In this way, the attackers stole session cookies and login credentials, demonstrating the high sophistication of the cyberattack.

Cyber attack is different from other AitM

This type of cyberattack differs from other AitM attacks, where decoy pages act as a reverse proxy to harvest credentials and one-time passwords (OTPs) entered by victims. Hackers present victims with a web page that mimics the login page of the target application, but hosted on a cloud service. The login page contains resources loaded from a server controlled by the attackers, which initiate an authentication session with the target application's authentication provider using the victims' credentials.

The criminal abuses access to e-mail boxes

Finally, cybercriminals misuse email access to steal sensitive information and orchestrate a BEC attack. In the incident analyzed by Microsoft, the attacker initiated a massive spam campaign, sending more than 16,000 emails to the compromised user's contacts, both inside and outside the organization and to distribution lists. Hackers also took steps to minimize detection of the attack and establish persistence over time by replying to incoming emails and subsequently deleting them from the mailbox.

The attack demonstrates the complexity of the AiTM and BEC threats

Ultimately, this attack demonstrates the complexity of the AiTM and BEC threats, which abuse trusted relationships between vendors, partners and other organizations to commit financial fraud. Microsoft has recently reported an increase in BEC attacks and tactics used by cybercriminals, including using platforms like BulletProftLink to create large-scale malicious email campaigns. Another tactic involves using residential IP addresses to make attack campaigns appear locally generated. Hackers can also purchase residential IP addresses that match the victim's location, thereby creating residential IP proxies that allow them to disguise their origin and carry out further attacks.