Microsoft has disclosed a new multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attack targeting banking and financial services organizations. The attack, known as Storm-1167, originated from a compromised trusted vendor and involved a series of AitM attacks and subsequent BEC activity across multiple organizations.
The attackers utilized an indirect proxy to tailor phishing pages and steal session cookies, showcasing the sophistication of AitM attacks. Unlike typical AitM campaigns, the attackers presented victims with a website mimicking the sign-in page of the targeted application, initiating an authentication session using the victim’s credentials. The harvested information was then used to gain unauthorized access to email inboxes, enabling the attackers to orchestrate BEC attacks.
In addition to stealing credentials, the attackers added a new SMS-based two-factor authentication method to target accounts, allowing them to sign in without raising suspicion. Microsoft’s analysis revealed that the attacker conducted a mass spam campaign, sending over 16,000 emails to the compromised user’s contacts within and outside the organization, as well as distribution lists.
The adversaries took measures to minimize detection, including responding to incoming emails and deleting them from the compromised mailbox. Subsequently, the recipients of the phishing emails were targeted with a second AitM attack, leading to the theft of their credentials and the initiation of another phishing campaign from a compromised account.
Microsoft emphasized the complexity of AitM and BEC threats, which exploit trusted relationships between vendors, suppliers, and partner organizations to perpetrate financial fraud.
This disclosure comes shortly after Microsoft’s warning about a surge in BEC attacks and the evolving tactics used by cybercriminals, such as leveraging platforms like BulletProftLink for large-scale malicious mail campaigns. The use of residential IP addresses was another tactic employed to make attack campaigns appear locally generated.
By purchasing IP addresses matching the victim’s location, BEC threat actors can obscure their movements, bypass “impossible travel” flags, and carry out further attacks.
