According to a report by Microsoft, a sophisticated multi-stage phishing and business email compromise (BEC) attack is currently targeting banking and financial services organizations. The attack, dubbed Storm-1167, originated from a compromised trusted vendor and involved a series of adversary-in-the-middle (AiTM) attacks and subsequent BEC activity across multiple organizations.
What sets this attack apart is the group’s utilization of a reverse proxy, allowing them to create customized phishing pages tailored to their targets. The attackers demonstrate the continued sophistication of AiTM attacks by employing session cookie theft.
Unlike other AiTM campaigns focusing on credential harvesting, this attack method involves presenting victims with a fake sign-in page hosted on a cloud service. The victim’s credentials facilitate the initiation of an authentication session with the target application’s authentication provider.
The attack chain starts with a phishing email that redirects victims to a spoofed Microsoft sign-in page, where they unknowingly enter their credentials and time-based one-time passwords (TOTPs). The stolen passwords and session cookies aids the impersonation of the user and gain unauthorized access to the victim’s email inbox. From there, the attackers obtain sensitive emails and orchestrate BEC attacks.
To avoid detection, the attacker incorporates a new SMS-based two-factor authentication method into the compromised account. It enables them to sign in using the stolen credentials without raising suspicion. Additionally, the attacker initiates a mass spam campaign, sending thousands of emails to the compromised user’s contacts, including those outside the organization.
Microsoft highlights the complexity of AiTM and BEC threats, emphasizing how attackers exploit trusted relationships between vendors, suppliers, and partner organizations for financial fraud. The company issued this warning following a recent surge in BEC attacks and the evolving tactics employed by cybercriminals, such as using platforms like BulletProftLink to conduct large-scale malicious mail campaigns. Attackers also leverage residential IP addresses to make their campaigns appear locally generated, allowing them to obscure their origin and conduct further attacks undetected.
This discovery underscores the need for heightened security measures and employee awareness within the banking and financial services sector to protect against sophisticated AiTM and BEC attacks.