Threat analysts at Microsoft revealed a phishing campaign targeting remote workers that used stolen credentials to send out more phishing emails and was able to connect with target companies’ Azure Active Directory accounts, BleepingComputer reports.
The multi-stage campaign began with fake DocuSign-themed emails targeting workers in Australia, Indonesia, Singapore and Thailand who did not have multi-factor authentication enabled, with embedded links that redirected victims to a fake Office 365 login page where the threat actors could steal their credentials.
Using the stolen credentials, the attackers then logged into the victims’ email accounts through Outlook installed on their own devices, which allowed them to access the victim company’s Azure Active Directory and register their devices onto the network.
The threat actors would then send emails to addresses within the company network as well as external targets. By infiltrating the company’s trusted workspace, attackers were able to evade the firm’s security measures and lure more victims by displaying an air of legitimacy, the researchers said.