Microsoft Issues Warning About Multi-Phase Phishing Attacks Targeted At Azure AD

Microsoft has warned users about a new multi-phase campaign targeting enterprise customers. The Microsoft 365 Defender Threat Intelligence Team detailed its findings on its Security blog, which indicates that these phishing attacks mainly target organizations that haven’t enabled multi-factor authentication (MFA).

As the name suggests, multi-factor authentication (MFA) is an authentication technique that requires two or more verification methods to validate a user’s identity, rather than relying on the traditional username-password combination. The goal of MFA is to offer an additional layer of security that prevents unauthorized access to sensitive information and decreases the chances of successful cyberattacks, identity thefts, and data breaches.

Multi-factor authentication (MFA) helps to block second-stage phishing attacks

Microsoft explained that the attackers use stolen credentials to register devices onto the corporate network in order to distribute phishing emails. The threat actors used this “evolved phishing” technique to target exploited instances in two phases. The first phishing attack involved stealing the stolen credentials in order to gain account privileges on the target’s network. The first stage focused primarily on organizations in Singapore, Thailand, Australia, and Indonesia.

In the second phase, the attackers used the hacked account to send DocuSign-themed phishing emails urging recipients to sign documents. The investigations revealed that the multi-stage phishing campaign leveraged Azure Active Directory (Azure AD) and Microsoft Intune to compromise the network.

“While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack’s propagation heavily relied on a lack of MFA protocols. Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain,” the company explained.

Microsoft has expressed deep concerns over the low adoption of “strong identity authentication” solutions in enterprise environments. The company advises that organizations should use multi-factor authentication for protection against phishing attempts. It also recommends deploying endpoint protection solutions can help detect unmanaged devices accessing an organizational network.