Microsoft Threat Intelligence

Since the beginning of September 2024, Microsoft Threat Intelligence has observed a phishing campaign using “eFax” themed lures, leading to a domain associated with the EvilProxy phishing-as-a-service (PhaaS) platform. The campaign uses emails containing links or QR codes within PDF attachments. When using links in emails, the lure redirects the user to a CAPTCHA that collects background information while also preventing crawling capabilities to detect the phishing infrastructure. Interacting with the CAPTCHA’s “Verify it’s you” button submits information used to determine if the recipient is sent to a phishing page or a benign page. When using QR codes in PDF attachments, in one case, the PDF attachment instructed the user to scan the QR code with a link to an open redirector pointing to a Google Accelerated Mobile Pages (AMP) link that sends the recipient to the EvilProxy-controlled domain. The use of AMP in phishing schemes is mainly to evade spam filters by leveraging Google's strong reputation. The EvilProxy-controlled domain loads a Cloudflare CAPTCHA check, which determines whether to display the final phishing landing page or a Wikipedia page. Over the years, Microsoft Threat Intelligence has investigated various phishing campaigns using EvilProxy for adversary-in-the-middle (AiTM) attacks. Threat actors operating this kit frequently modify their lures to avoid detection and take advantage of human error. In late August 2024, Microsoft identified a similar phishing campaign that used fake voicemail messages posing as Microsoft 365 alerts to direct users to EvilProxy landing pages. Microsoft Defender XDR detects suspicious activities related to AiTM phishing attacks and their follow-on activities. For general information on responding to and investigating phishing incidents, see Microsoft’s incident response playbook for phishing: https://msft.it/6045m0e4B. For more information on mitigating AiTM phishing attacks, refer to our blog Detecting and mitigating a multi-stage AiTM phishing and BEC campaign: https://msft.it/6046m0e48.

East Asia threat actors are continuously changing techniques in their operations to achieve familiar goals. Earlier this year, Microsoft observed the threat actor Gingham Typhoon expanding their targets into the South Pacific Islands and launching sophisticated spear phishing attacks. The North Korean threat actor Sapphire Sleet sent fake virtual meeting invitations containing attacker-controlled domains in their cryptocurrency theft operations. China-based threat actors such as Volt Typhoon rely heavily on living-off-the-land techniques in their attacks targeting US critical infrastructure. Nylon Typhoon, on the other hand, has a wider scope of targets in their intelligence collection operations, attacking government entities in South America and Europe. Microsoft has also observed the influence operator Taizu Flood (formerly tracked as Storm-1376) launch campaigns seen in over 180 social media platforms and websites. North Korean threat actors such as Jade Sleet, Sapphire Sleet, and Citrine Sleet prioritize stealing cryptocurrency in their operations to generate revenue for their government. Techniques used by North Korean threat actors vary greatly, from weaponizing legitimate software to compromise targets to using AI large-language models to enhance their spear phishing campaigns. Learn more about the motivations behind these campaigns from Nick Monaco, Principal Threat Intelligence Analyst from the Microsoft Threat Analysis Center (MTAC) and Sherrod DeGrippo in this episode of The Microsoft Threat Intelligence podcast. https://msft.it/6046mxlGy Read the MTAC report on East Asian threat actors here: https://msft.it/6047mxlGJ

The October 2024 security updates are available:

Since mid-April 2024, Microsoft has observed that campaigns which misuse legitimate file hosting services are increasingly using defense evasion tactics involving files with restricted access and view-only restrictions. These campaigns use sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants. Moreover, these campaigns are intended to compromise identities and devices, and most commonly lead to business email compromise (BEC) attacks to propagate campaigns, among other impacts such as financial fraud, data exfiltration, and lateral movement. Learn more about the typical attack chain and defense evasion tactics used in these campaigns, and get detailed mitigation, detection, and hunting guidance to reduce the impact of this threat and locate potential misuse of file hosting services and related threat actor activities: https://msft.it/6048maP7p

Browser anomalies such as unexpected account access from a distant geographical location and an unusual browser could indicate account compromise. Additionally, discrepancies in a user's attributes in browser sessions could be a sign of session hijacking. Automatic attack disruption in Microsoft Defender XDR detects such anomalies in browser activities to stop threats such as account compromise and session hijacking related to adversary-in-the-middle (AiTM) and business email compromise. Monitoring changes in browser usage plays a critical role in identifying and stopping malicious activities. Automatically disrupting activities related to browser anomalies can stop attacks at an early stage and minimize their impact. Learn how automatic attack disruption in Microsoft Defender XDR detects browser anomalies to stop attack progression here: https://msft.it/6045mqvhX More details on automatic attack disruption from our documentation: https://msft.it/6046mqvhk

Microsoft's Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by a persistent Russian nation-state threat actor that Microsoft tracks as Star Blizzard. The US District Court for the District of Columbia unsealed a civil action brought by Microsoft’s DCU, including its order authorizing Microsoft to seize 66 unique domains used by Star Blizzard in cyberattacks targeting Microsoft customers globally, including throughout the United States. https://msft.it/6040mUXoi Star Blizzard has continuously refined their detection evasion capabilities while remaining focused on email credential theft against the same targets. This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), including their use of multiple registrars to register domain infrastructure, multiple link-shortening services and legitimate websites with open redirects, and altered legitimate email templates as spear-phishing lures: https://msft.it/6041mUXoc

The financially motivated cybercriminal group that Microsoft tracks as Storm-0501 has been observed exfiltrating data and deploying Embargo ransomware after moving laterally from on-premises to the cloud environment. The said attacks also involve credential theft, tampering, and persistent backdoor access. Storm-0501 exploited known vulnerabilities to gain initial access and used various open-source and commodity tools to steal credentials and move laterally within the network. The threat actor leveraged their level of access to exfiltrate sensitive data, evade detection, and gain control of the cloud environment. The actor subsequently created a backdoor to the cloud environment to maintain persistent access, and deployed Embargo ransomware on the on-premises environment to extort their target. In this blog post, we share our findings on the recent attack conducted by Storm-0501 and provide recommendations and mitigations to help customers protect themselves from this threat and similar ransomware attacks. https://msft.it/6041m5gPx

In this episode of The Microsoft Threat Intelligence Podcast, Microsoft experts discuss the impact of defenders having tools such as Kusto Query Language (KQL) to hunt for threats, as well as attackers using social engineering and PowerShell to deploy malware such as infostealers. KQL is a query language that enables security operations to look through their data and surface potential threats within their environment quickly and efficiently. It is a powerful tool to discover patterns and identify anomalies, and can provide actionable data that can be used to respond to threats such as phishing and ransomware. Senior Program Manager Rod Trent, Principal Security Research Manager Matthew Zorich, and Principal Product Manager for Customer Experience Engineering Mark Morowczynski share their experiences learning to use KQL, and their process in writing the book The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting. Senior Threat Hunter Lekshmi Vijayan from Microsoft Defender Experts for Hunting also joins the episode to discuss how attackers are using PowerShell in their campaigns. She mentions a technique, initially observed in June, wherein attackers use social engineering techniques to trick a target into copying PowerShell code and running it, leading to infostealers and remote monitoring and management (RMM) tools. The opportunistic attacks, she says, focus on the theory that humans are the weakest link in security. Lekshmi and podcast host Sherrod DeGrippo also discuss the nature of the crimeware ecosystem, and how threats such as ransomware consist of different types of interconnected groups that focus on certain types of malicious activities. Listen to the full episode here: https://msft.it/6040meDc8

We’ve made significant progress in fostering a security-first culture, and now, we’re sharing key updates and milestones from the first Secure Future Initiative (SFI) Progress Report. Learn more: