Phishing is evolving: Microsoft unveils new malicious tactics

What you need to know in a nutshell

Microsoft's security team has identified a new, evolved phishing campaign

The novel twist involves "joining an attacker-operated device to an organization's network."

These attacks are much easier to carry out undetected in our hybrid work era

They take advantage of the concept of bring-your-own-device (BYOD) and unmanaged devices

Users without MFA are even more exposed

Free whitepaper - Best practices you can follow to minimise the damage from a phishing attack
Find out more about Device Management
Detect cybercrime early with APEX® ATD

The anatomy of the multi-phase phishing attack

The first phase focuses on stealing credentials in target organizations. Attackers used a DocuSign-branded phishing email requesting the recipient review and sign the document. The phishing link directed victims to a spoofed Office 365 login page.

In the second phase, an attacker controlled BYOD device is enrolled on a corporate network with the stolen credentials. The attacker can then expand their foothold within the organizations through the compromised accounts via lateral phishing and outbound spam.
Lateral phishing tends to have a high success rate because the attacks come from a legitimate email account that is familiar to the victim.


Image source: Microsoft

"By using a device now recognized as part of the domain coupled with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers." said the Microsoft 365 Defender Threat Intelligence Team.
According to Microsoft's security team, "most" organizations that had enabled multi-factor authentication (MFA) were not impacted by phishing emails spread by attacker-controlled registered devices, but organisations that had not enabled MFA were all affected.

Key cybersecurity takeaways

1. Enabling MFA is critical

This attack has proven once again the importance of MFA. All organisations should enable multi-factor authentication (MFA) to minimise the risk of attackers being able to use stolen credentials to gain access to devices.

2. Unmanaged devices are prone to attacks

Unmanaged devices that are connecting to company networks present a huge opportunity for attackers to compromise these devices. Businesses need to think about proactively protecting their organizations from the risks posed by new or “bring your own” (BYO) connected devices.

3. Early threat detection is an absolute necessity

This type of sophisticated attack also highlights the need for solutions such as APEX® Advanced Threat Detection that correlate threat data from multiple touchpoints and alert organisations of cyber breaches early.