[Security Weekly] Microsoft Enterprise Email Service Targeted in MFA-Bypassing Phishing Campaign

email phishing thumbnail

August 2022, Issue I


1. Microsoft Enterprise Email Service targeted in MFA-bypassing phishing campaign

Security researchers at ThreatLabz published an advisory on August 2, warning that a large-scale phishing campaign is currently targeting Microsoft Enterprise Email Service users, using advanced phishing tools that perform adversary-in-the-middle (AiTM) technique to bypass multi-factor authentication (MFA).

The phishing campaign is specifically designed to target business users that use Microsoft’s email services, registering new phishing domains on a daily basis. Many of the registered domain names contain unnoticeable typos of legitimate domains, with a malicious link included in the email body.

Furthermore, the attackers’ custom phishing kit bypasses MFA by using reverse proxies to perform AiTM. When the email server requests the MFA information during the login process, the phishing kit cuts in the middle and relays the request to the victim, who then enters the information on the phishing page. This entered information is then forwarded to the email service, allowing the attacker to gain access to the account.

Another unique feature of the phishing kit is that once the victim clicks on the malicious link, their browser gets fingerprinted by JavaScripts, enabling the attacker to evaluate if the target is on a normal computer or a virtual machine. This prevents the attackers from targeting virtual machines, which are usually used by security researchers for analysis.

Sources: Infosecurity, Bleeping Computer, Digital Trends


2. Semiconductor giant Semikron suffers LV ransomware attack

Semikron, a German-based manufacturer that produces power semiconductors for electric vehicles, wind turbines, and industrial automation systems, had parts of its network encrypted by the LV ransomware.

Semikron published a statement on August 1, disclosing that a cyberattack has encrypted parts of its network, and that the attackers claimed to have stolen data from its systems. Although the company did not provide any detailed information about the attacker, Germany’s Federal Office for Information Security warned that ransomware operators are threatening Semikron to leak stolen data.

Sources from Bleeping Computer also revealed that a ransom note shown on the infected systems indicated that the LV ransomware group was the intruder. Also on the note, the attackers claimed to have stolen a total of 2 TB worth of files.

Sources: Bleeping Computer, TechCrunch


3. Taiwanese government websites suffer multiple politically oriented DDoS attacks

On August 3, only hours before the official visit of US House speaker and representative Nancy Peloni, Taiwanese government agencies and infrastructure operators suffered multiple distributed denial-of-service (DDoS) attacks, most likely politically motivated.

Taiwan’s Ministry of Foreign Affairs reported that the attack had a traffic flow of over 8.5 million requests per minute, originating from a wide pool of IP addresses from China, Russia, and other countries, lasting for about 20 minutes. Affected websites included the Office of the President, the Ministry of Foreign Affairs, and Taoyuan International Airport. A spokesperson from the presidential office suggested that traffic entering the site was 200 times normal traffic.

Nevertheless, security experts suggested that the attack was not likely launched by Chinese state-backed hackers, as these hackers tend to use much more sophisticated attack methods. Instead, patriotic hacktivists were likely the ones behind the attack.

DDoS attacks are one of the simplest attack methods and are commonly used by hacktivists for a wide range of reasons. Still, protecting websites from DDoS is not difficult. A logic-based web application firewall, paired with load balancing capabilities, is effective at preventing service disruptions caused by DDoS. To learn more, see WAPPLES.

Sources: CyberScoop, The Record


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security