New Device Registration Method Adds To Phishers’ Toolbox For Victims Without MFA

  • Home
  • Blog
  • New Device Registration Method Adds To Phishers’ Toolbox For Victims Without MFA
New Device Registration Method Adds To Phishers’ Toolbox For Victims Without MFA

We all think we can easily recognize phishing or fake email. Cybercriminals are continuously tweaking their strategies to attempt to trick you. In the latest threats, phishing schemes are still the most popular type of attack.

Recently, Microsoft has revealed details of a large-scale, multi-stage phishing marketing effort. It leverages stolen credentials to register gadgets on a victim’s network, allowing spam emails to spread even further and the contamination pool to grow.

Two Stages Of The Attack

According to the Microsoft 365 Defender Threat Intelligence Team, the cyberattacks happened in two stages: “The first campaign stage entailed stealing credentials in target organizations mostly located in Australia, Singapore, Indonesia, and Thailand.”

The second step was effective against users who did not employ MFA, a critical component of identity security. Without additional precautions such as MFA, the malware takes advantage of the BYOD concept by enabling a device to be first registered using newly obtained credentials.

The campaign started with consumers getting a DocuSign-branded phishing lure sent through a link. If clicked, drew them to a rogue website resembling the Office 365 login page to deceive and steal their credentials.

Credential Losses

The stealing of credentials compromised over 100 mailboxes among many firms. It also enabled the attackers to establish an inbox rule to evade detection.

After this, a second assault wave took place. It took advantage of the company’s absence of MFA protections to register an unsecured Windows device in the Azure Active Directory (AD) instance and propagate the malicious messages.

Email-based social manipulation attacks continue to be the most prevalent means for attackers to get initial access to an organization’s network and dump malware on affected workstations.

Netskope Threat Labs detected a malicious campaign assigned to the OceanLotus group earlier last month. It bypassed signature-based detection by delivering data-stealing malware via non-standard file formats like web archive file (.MHT) attachments.

How To Avoid Phishing?

With activating MFA, best practices like excellent credential hygiene and network segmentation can “raise the ‘cost’ to hackers attempting to spread via the network.

Furthermore, to avoid phishing attempts, take the following precautions:

  • Examine who sent the email: review the From: read every line of the email to check that the person claiming to be the sender matches the email id you’re expecting.
  • Identify the source: If in doubt, contact the person who sent the email to establish that they were the sender.
  • Confirm the email: If the email you got is authentic, your organization’s IT staff can usually notify you.

Conclusion

Finally, the researchers concluded that “These best practices can limit an attacker’s ability to move laterally and compromise assets after an initial intrusion. They should be used in conjunction with advanced security solutions that provide visibility across domains and coordinate threat data across protection components.”

Cybercriminals are well-versed in all social engineering techniques that may use to persuade you to fall into their traps. Be cautious, and if anything doesn’t feel right, trust your instincts. However, even if the email or text appears legitimate, be skeptical.

Always be mindful of downloading attachments and clicking links, no matter how simple they appear or who mailed them.


Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud.

Want a consultation with the professionals at Rogue Logics? contact us and get a free quote.