Microsoft Defender Research has uncovered a large-scale phishing attack targeting users across more than 13,000 organizations worldwide. The threat actors were able to dupe tens of thousands of victims by using a legitimate email delivery service, sending messages expressing concerns about "Codes of Conduct." The users were ultimately led to a sign-in page that was part of an Adversary-in-the-Middle (AiTM) attack.

In an AiTM attack, the attacker positions themselves between two parties — in this case, the user and server — to siphon all communications to and from both parties. This allows the attacker to intercept authentication traffic in real time without the need to build a custom phishing website.

The threat actors took several measures to reinforce the purported legitimacy of the emails. They were made to look like "Internal Compliance" or "Regulatory Communication" emails, with subject lines such as "Internal Case Log Issued Under Conduct Policy" or "Reminder: Employer Opened a Non-Compliance Case Log."

The emails even included messages stating that they had been "issued through an authorized internal channel," and that links and attachments "had been reviewed and approved for secure access" — as well as a message stating that the contents of the email had been encrypted by Paubox, a legitimate HIPAA-compliant communication service.

A multi-step attack

The email instructed the recipient to open an attached PDF file that included a link to "review case materials," initiating the multi-step attack. Clicking the link led the recipient through several attacker-controlled domains, until a final page prompted the recipient to sign into their account to schedule a time "to discuss their pending case." Selecting the "Sign in with Microsoft" option redirected the user to a Microsoft Authentication page, initiating the AiTM flow. The threat actors were then able to capture authentication tokens and compromise user accounts, enabling them to impersonate users.

This campaign highlights the ever-evolving nature of phishing attacks, becoming more intricate and sophisticated to outsmart existing standard cybersecurity practices. Staying vigilant when opening seemingly harmless emails is only the first step: Microsoft recommends users take several measures to reduce threats, such as awareness training and phishing simulations, enabling password-less methods for authentication, and manually purging unwanted emails.