What you need to know in a nutshell
Microsoft's security team has identified a new, evolved phishing campaign
The novel twist involves "joining an attacker-operated device to an organization's network."
These attacks are much easier to carry out undetected in our hybrid work era
They take advantage of the concept of bring-your-own-device (BYOD) and unmanaged devices
Users without MFA are even more exposed
Free whitepaper - Best practices you can follow to minimise the damage from a phishing attack
Find out more about Device Management
Detect cybercrime early with APEX® ATD
The anatomy of the multi-phase phishing attack
The first phase focuses on stealing credentials in target organizations. Attackers used a DocuSign-branded phishing email requesting the recipient review and sign the document. The phishing link directed victims to a spoofed Office 365 login page.
In the second phase, an attacker controlled BYOD device is enrolled on a corporate network with the stolen credentials. The attacker can then expand their foothold within the organizations through the compromised accounts via lateral phishing and outbound spam.
Lateral phishing tends to have a high success rate because the attacks come from a legitimate email account that is familiar to the victim.
Image source: Microsoft
"By using a device now recognized as part of the domain coupled with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers." said the Microsoft 365 Defender Threat Intelligence Team.
According to Microsoft's security team, "most" organizations that had enabled multi-factor authentication (MFA) were not impacted by phishing emails spread by attacker-controlled registered devices, but organisations that had not enabled MFA were all affected.
Key cybersecurity takeaways
1. Enabling MFA is critical
This attack has proven once again the importance of MFA. All organisations should enable multi-factor authentication (MFA) to minimise the risk of attackers being able to use stolen credentials to gain access to devices.
2. Unmanaged devices are prone to attacks
Unmanaged devices that are connecting to company networks present a huge opportunity for attackers to compromise these devices. Businesses need to think about proactively protecting their organizations from the risks posed by new or “bring your own” (BYO) connected devices.
3. Early threat detection is an absolute necessity
This type of sophisticated attack also highlights the need for solutions such as APEX® Advanced Threat Detection that correlate threat data from multiple touchpoints and alert organisations of cyber breaches early.