Microsoft has reported a large-scale, multi-phase campaign that adds a novel technique to traditional phishing tactics.
Rogue operators attach an attacker-operated device to an organisation’s network to further propagate the campaign.
Microsoft say this second stage of the campaign is successful against victims that did not implement multifactor authentication (MFA), an essential pillar of identity security. Without additional protective measures such as MFA, the attack takes advantage of the concept of bring-your-own-device (BYOD) via the ability to register a device using freshly stolen credentials.
In its initial stage, attackers steal credentials in target organisations, These are then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organisation via lateral phishing as well as beyond the network via outbound spam.
Connecting an attacker-controlled device to the network allowed the attackers to covertly propagate the attack and move laterally throughout the targeted network. While in this case device registration was used for further phishing attacks, leveraging device registration is on the rise as other use cases have been observed. Moreover, the immediate availability of pen testing tools, designed to facilitate this technique, will only expand its usage across other actors in the future.
MFA, which prevents attackers from being able to use stolen credentials to gain access to devices or networks, foiled the campaign for most targets. For organizations that did not have MFA enabled, however, the attack progressed.
Phishing continues to be the most dominant means for attacking enterprises to gain initial entry. This campaign shows that the continuous improvement of visibility and protections on managed devices has forced attackers to explore alternative avenues. The potential attack surface is further broadened by the increase in employees who work-from-home which shifts the boundaries between internal and external corporate networks. Attackers deploy various tactics to target organizational issues inherent with hybrid work, human error, and “shadow IT” or unmanaged apps, services, devices, and other infrastructure operating outside standard policies.
These unmanaged devices are often ignored or missed by security teams at join time, making them lucrative targets for compromising, quietly performing lateral movements, jumping network boundaries, and achieving persistence for the sake of launching broader attacks. Even more concerning, as Microsoft researchers uncovered, is when attackers manage to successfully connect a device that they fully operate and is in their complete control.
You must do all you can to protect your data.
If you need support, please get in touch with our team at UK Business IT.