Researchers have uncovered a phishing attack using a new technique: Attackers are making use of authentication APIs to validate victims’ Office 365 credentials – in real time – as they enter them into the landing page.
Authentication APIs are used by apps and services running on the users’ behalf to access their data, Prashanth Arun, head of Data Science at Armorblox, told Threatpost. Office 365 requires app registrations to use APIs – but registrations require only an email address, making them seamless for attackers to leverage. Some additional configuration for the app also requires users to specify a website to “receive” authentication info, Arun added.
In a phishing attack recently spotted by researchers, the attacker used the authentication APIs to cross check the credentials of a senior executive at a large enterprise firm with the organization’s Azure Active directory. Active Directory (AD) is Microsoft’s proprietary directory service, which allows administrators to manage permissions and access to network resources. The authentication APIs use Azure AD to provide authentication services.
In the phishing attack, access to this immediate feedback “allows the attacker to respond intelligently during the attack,” researchers with Armorblox said on Thursday. “The attacker is also immediately aware of a live compromised credential and allows him to potentially ingratiate himself into the compromised account before any remediation.”
The Phishing Email
The attack was first discovered targeting a senior executive at an unnamed company, which researchers say is an American brand named among the Top 50 most innovative companies in the world in 2019. The initial email sent to the employee had the subject line “ACH Debit Report,” mimicking an internal report, and was sent on Friday evening, when victims likely have their guard down, researchers said.
According to researchers, the targeted company had recently changed domains so the target’s public email address is different from the domain name used in his Active Directory login. Attackers were aware of this change, leading researchers to believe the campaign was highly targeted.
“The limited activity at the website hosting the phishing attack and the careful timing of the email to a Friday evening also suggests this is a carefully crafted attack,” researchers said. “Our estimates show there have been 120 odd visits to this website globally since the beginning of June. The sparse number shows that the phishing scams are likely targeted and not spray and pray.”
The phishing email told victims to: “Find enclosed Payment Remittance Report’ as of 7/11/2020 2:53:14 a.m. Thank you for your business!”and points to an attachment, which looks like a text file.
“Opening the attachment from Office 365 in a browser shows a website identical to the Office 365 sign on page. The username has been pre-entered. A non-standard message ‘Because you’re accessing sensitive info, you need to verify your password’ is noted,” said researchers.
Once victims entered their credentials into the phishing landing page, Azure Active Directory sign-on logs show an immediate sign-on attempt corresponding to XHR requests performed on the attachment webpage.
“There’s no special vulnerability that makes this possible, it’s a unique adoption of APIs by the adversaries,” Arun stressed in an email to Threatpost.
If authentication is successful, the user is redirected to zoom.com. However, if the authentication fails, the user is redirected to login.microsoftonline.com. This could be a way to hide the phishing attack as just another failed sign on attempt at the Office 365 portal, researchers said. If the entered password text is empty or too short, the user is forced to retry.
“Our threat researchers verified the real-time nature of the site by updating the script with a test login and a dummy password and saw a failed login attempt from Provo, Utah in the Azure Active Directory Sign-In portal,” said researchers. “As expected, the IP address (18.104.22.168) that attempted the sign-in is the same endpoint the phishing script sends the credentials.”
Upon further investigation, researchers found that the web service behind the credential phishing page is hosted on teenagemoglen[.]com, which is registered at Alibaba.com with a Singapore domain registrar since the end of May 2020.
“The website is hosted by UnifiedLayer, a hosting company based out of India, at a datacenter in Provo, Utah, United States,” they said. “The website appears to host web pages copied from another website. None of the links which allow for active engagement with a visitor appear to be active.”
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.