August 4, 2022

Researchers at Zscaler ThreatLabz have uncovered a large-scale phishing campaign targeting Microsoft email services.

The campaign uses a custom proxy-based phishing kit to bypass multi-factor authentication in order to crack corporate accounts.

The goal is to compromise business emails and redirect payments to bank accounts with forged documents under their control. Targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organizations in the United States, United Kingdom, New Zealand, and Australia.

While the phishing campaign pretends to be domains of legitimate platforms, it also uses phishing emails that originate from the accounts of executives of these organizations that the attackers have previously compromised.

The phishing kit used by the attackers uses CodeSandbox and Glitch to help hackers create new redirection routes.

To bypass multi-factor authentication, threat actors use reverse proxies such as Evilginx2, Muraena, and Modilshka to stand between the victim and the email provider’s server.

As soon as the email server requests the MFA code during the login process, the phishing kit forwards this request to the victim, who then enters the OTP into the phishing field.

The data is forwarded to the email service and allows the threat actor to log into the stolen account.

For this particular phishing campaign, the attackers use a custom proxy-based phishing kit that uses the “Beautiful Soup” HTML and XML parsing tool.

The tool allows the kit to easily change legitimate login pages from corporate logins and add its own phishing elements.

The sources for this piece include an article in BleepingComputer.