Microsoft Warns of Large-Scale AiTM Phishing Targeting Over 10,000 Organisations

Background

Microsoft disclosed that large-scale phishing activities have been discovered targeting over 10,000 organisations globally. Since September 2021, the sophisticated Adversary-in-The-Middle (AiTM) attacks have hijacked email accounts and stolen credentials for the purpose of online fraud.

The Adversary-in-The-Middle (AiTM) uses phishing attacks which are aimed at hijacking organisational email accounts to commit online fraud. The phishing attack distributes emails that contain links and attachments that when clicked or opened can intercept the authentication process to extract passwords and cookies (identity tokens).

The phishing emails are crafted with urgent messages and marked as important to trick recipients into opening the malicious attachment which redirects the recipients to a credential-stealing page which requests the recipient's login credentials. Next, the attackers use the stolen identity/credentials to gain unauthorised access to organisational accounts, and then hijack email threads to redirect organisational funds to accounts under their control.

Impact

This phishing attack affects all organisations using Microsoft Office 365 email solution. Attackers target organisational users to steal credentials and hijack email accounts. This may lead to unauthorised access on sensitive systems and data, as well as financial loss to affected organisations.

Recommendation

The Cyber Security Authority advises the following course of action:

  • Systems Administrators are admonished to administer user education programs to create awareness on this emergent risk.
  • Systems Administrators are encouraged to enable conditional access policies. Conditional access policies are policies such as strict use of compliant devices or trusted IP address requirements.
  • Organisations are admonished to invest in advanced anti-spam and anti-phishing tools that monitor and scan incoming emails and visited websites, that can automatically identify and block malicious communications and content.
  • Organisations must continuously monitor for anomalous activities such as suspicious sign-in attempts, unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual mail item access events by untrusted IP addresses or devices.
  • Organisations are advised to report security incidents to the Cyber Security Authority (CSA) via the official Points of Contact for additional guidance (Email: report@csa.gov.gh, Phone: 292)

References