Microsoft on Tuesday disclosed that a large-scale phishing campaign targeted over 10,000 organizations since September 2021 by hijacking Office 365's authentication process even on accounts secured with multi-factor authentication (MFA).

微软周二披露，自 2021 年 9 月以来，一场大规模的网络钓鱼活动涉及10,000 多个组织，通过劫持Office 365 的身份验证，甚至是受多因素身份验证 (MFA) 保护的帐户也为幸免于难。

"The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets," the company's cybersecurity teams reported.

该公司的网络安全团队报告说：“攻击者随后使用被盗的凭据和cookie会话访问受影响用户的邮箱，并对其他目标执行进一步的商业电子邮件泄露 (BEC) 活动。”

The intrusions entailed setting up adversary-in-the-middle (AitM) phishing sites, wherein the adversary deploys a proxy server between a potential victim and the targeted website so that recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA information.

入侵行动需要设置中间人攻击 (AitM) 的网络钓鱼站点，其中攻击者在潜在受害者和目标网站之间部署代理服务器，以便将网络钓鱼电子邮件的收件人重定向到旨在捕获凭据的与MFA信息相似的登录页面。

"The phishing page has two different Transport Layer Security (TLS) sessions — one with the target and another with the actual website the target wants to access," the company explained.

该公司解释说：“网络钓鱼页面有两个不同的传输层安全 (TLS) 会话——一个与目标有关，另一个与目标想要访问的实际网站有关。”

"These sessions mean that the phishing page practically functions as an AitM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies."

“这些会话意味着网络钓鱼页面实际上是充当AitM代理，拦截整个身份验证过程并从 HTTP 请求中提取有价值的数据，例如密码以及更重要的cookie会话。”

Armed with this information, the attackers injected the cookies into their own browsers to circumvent the authentication process, even in scenarios where the victim had enabled MFA protections.

有了这些信息，攻击者将 cookie 注入到他们自己的浏览器中以绕过身份验证过程，即使受害者启用了MFA保护也无济于事。

The phishing campaign spotted by Microsoft was orchestrated to single out Office 365 users by spoofing the Office online authentication page, with the actors using the Evilginx2 phishing kit for carrying out the AitM attacks.

微软发现此次网络钓鱼活动是精心策划的，攻击者通过欺骗 Office 在线身份验证页面来挑出 Office 365用户，然后使用Evilginx2网络钓鱼工具包进行AitM攻击。

This involved sending email messages containing voice message-themed lures that were marked with high importance, tricking the recipients into opening malware-laced HTML attachments that redirected to the credential-stealing landing pages.

其中包括发送以语音消息为主题的电子邮件诱饵消息，这些诱饵标记为高度重要，诱使收件人打开带有恶意软件的 HTML 附件，随后这些附件将会重定向到凭据窃取登录页面。

To complete the ruse, the users were eventually redirected to the legitimate office[.]com website post-authentication, but not before the attackers leveraged the aforementioned AitM approach to siphon the session cookies and obtain control over the compromised account.

为了完成这个诡计，需要用户在身份验证后被重定向到合法的 office[.]com 网站之前，攻击者利用上述AitM 方法窃取到用户cookie会话，并控制受感染者账户。

The attacks didn't end there, for the threat actors abused their mailbox access to perform payment fraud by using a technique called email thread hijacking to dupe parties on the other end of the conversation to illicitly wire funds to accounts under their control.

攻击并不会就此结束，因为攻击者还会利用他们的邮箱访问权限来进行支付欺诈，方法是使用一种称为电子邮件线程劫持的技术来欺骗收件人，将资金非法电汇到他们控制的账户中。

To further mask their communications with the fraud target, the threat actors also created mailbox rules that automatically moved every incoming email containing the relevant domain name to the "Archive" folder and marked it as "read."

为了进一步隐藏他们与前者受害者的通信，攻击者还创建了邮箱规则，自动将每封包含相关域名的传入电子邮件移动到“存档”文件夹并将其标记为“已读”。

"It took as little time as five minutes after credential and session theft for an attacker to launch their follow-on payment fraud," Microsoft noted.

微软指出：“在凭据和会话被盗之后，攻击者只需五分钟就可以发起他们的后续支付诈骗。”

The attackers are said to have employed Outlook Web Access (OWA) on a Chrome browser to conduct the fraudulent activities, while also deleting from the account's Inbox folder the original phishing email as well as the follow-on communications with the target from both the Archive and Sent Items folders to erase traces.

据说攻击者在 Chrome 浏览器上使用 Outlook Web Access (OWA) 进行诈骗活动，同时还从帐户的收件箱文件夹中删除原始网络钓鱼电子邮件，以及存档中与目标的后续通信，和已发送邮件文件夹以擦除痕迹。

"This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks," the researchers said.

研究人员说：“这次 AiTM 网络钓鱼活动，是攻击者如何继续发展以应对组织为保护自己免受潜在攻击，而采取的安全措施和策略的另一个例子。”

"While AiTM phishing attempts to circumvent MFA, it's important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place."

“虽然 AiTM 网络钓鱼攻击绕过了MFA，但还是要强调实施MFA，仍然是身份安全的重要支柱。MFA 在阻止各种威胁方面仍然非常有效；它的有效性是 AiTM 网络钓鱼出现的首要原因。”

The findings come as a group of researchers from Stony Brook University and Palo Alto Networks demonstrated late last year a new fingerprinting technique that makes it possible to identify AitM phishing kits in the wild using a tool called PHOCA.
去年年底，来自石溪大学和 Palo Alto Networks 的一组研究人员展示了一种新的指纹识别技术，该技术可以使用名为PHOCA 的工具在野外识别 AitM 网络钓鱼工具包。

致虚极，守静笃，万物并作，吾以观其复。

——《道德经.第十六章》

本文翻译自：

https://thehackernews.com/2022/07/microsoft-warns-of-large-scale-aitm.html

如若转载，请注明原文地址