November 9, 2023 at 03:50AM
A phishing campaign has been discovered where threat actors send emails with a link to a file-sharing solution called DRACOON.team. When victims click on the link, they are directed to a PDF document containing a secondary link that leads to a fake Microsoft 365 login page. The attackers use reverse proxies to steal login information and session cookies, allowing them to bypass multi-factor authentication. The phishing emails appear legitimate as they are sent from known or trusted accounts. Organizations are advised to conduct security awareness training, implement phishing-resistant MFA, enhance email security, and establish continuous monitoring systems.
Summary of Meeting Notes:
– The meeting notes describe a phishing campaign that involves malicious emails containing a link to a file-sharing solution.
– The victim is tricked into accessing the link within the email, which leads to a PDF document hosted on the file-sharing solution.
– The PDF document contains a secondary link that directs the victim to an attacker-controlled server impersonating a Microsoft 365 login portal.
– The attacker-controlled server acts as a reverse proxy to steal the victim’s login information and session cookies, allowing them to bypass multi-factor authentication.
– The stolen credentials and cookies are used to gain unauthorized access to the victim’s Microsoft 365 account and further distribute phishing emails.
– The phishing email originated from the victim’s supplier, making it more convincing as it came from trusted accounts.
– The phishing campaign uses an intermediary link to files containing the links to adversary-controlled infrastructure, bypassing email security mitigations.
– The Dracoon team has been contacted and has taken action to remove potential phishing attachments and mark accounts responsible for uploading attachments for removal.
– The investigation used Trend Managed Extended Detection and Response (MxDR) to trace the compromised accounts and recommend password changes.
– The limitations of multi-factor authentication (MFA) are discussed, emphasizing the need for strong security awareness among users.
– Proactive measures and mitigation strategies are recommended, including security awareness training, phishing-resistant MFA, email security solutions, continuous monitoring, and implementing email security standards like DMARC, SPF, and DKIM.
Overall, the meeting notes provide detailed information about the phishing campaign, its impact, and recommendations for improving security.