PwC’s Dark Lab recently responded to a Business Email Compromise incident, leading to the discovery of an opportunistic multi-stage Adversary-in-the-Middle campaign.
Business Email Compromise (BEC) attacks persist as one of the most popular scam strategies among opportunistic cybercriminals. BEC attacks refer to a form of social engineering whereby malicious actors attempt to defraud organisations by hacking into legitimate business email accounts and impersonating employees and third parties for direct monetary gains.
Though these attacks have existed since the dawn of the Internet, they continue to be a highly lucrative avenue for attackers given the ability to scale operations target multiple victims simultaneously at a low setup cost. Furthermore, as organisations have heavily prioritised efforts to mature their cyber postures over the last few years, we observe a significant shift away from malware towards identity-based attacks as attackers leverage valid credentials to disguise their activities. In the past few years, an increasingly common strategy is to leverage phishing toolkits to steal valid credentials as well as login sessions, bypassing multi-factor authentication (MFA).
In this two-part series, we showcase two classic Adversary-in-the-Middle (AiTM) campaigns targeting Hong Kong-based victims. In part one, we shared our technical analysis on the ongoing campaign leveraging the Evil QR tool to hijack Hong Kong and Macau-based victims’ WhatsApp accounts.[1] This blog piece provides a technical analysis on our incident response experience with a multi-stage Adversary-in-the-Middle (AiTM) phishing and BEC attack, which led to the discovery of a wide-scale, opportunistic campaign weaponising a sophisticated phishing toolkit, Evilginx and EvilProxy.
Initial Access
The attack initiated via the delivery of a phishing email from joingreatlife[.]com, with a lure masquerading as a DocuSign notification for document review and signature.
Figure 1: Screenshot of phishing email
The phishing emails originated from the joingreatlife[.]com sender domain, which we assessed to be a legitimate business based on the WHOIS records indicating the domain was registered in 2013, and multiple linked social media accounts, including an actively updated Facebook account, and no malicious flagging by security solutions.[2],[3],[4],[5] Due to their lack of valid SPF, DKIM, or DMARC record as at the time of investigation[6], we hypothesise that the legitimate business was likely spoofed or compromised to deliver phishing emails.
Figure 2: Flagged malicious joingreatlife[.]com sub-domains
Through further review of the victim’s mailbox, it was observed that the victim was repeatedly targeted by multiple phishing emails from senders such as ‘cv@service[.]bosszhipin[.]com’ between March 2022 and June 2023. Pivoting on the email address, we discovered that cv@service[.]bosszhipin[.]com has been historically flagged for sending spam and phishing emails.[7] Consistent with observations of the joingreatlife[.]com domain, we validated the bosszhipin[.]com domain to be serving legitimate business content[8], and was likely spoofed by malicious actors as a result of the lack of valid DKIM or DMARC record.[9]
Upon clicking on the ‘Review Document’ button within the phishing email, the victim was redirected to a Ticketmaster domain (engage.ticketmaster.com) before redirecting to the actual phishing URL hosted on an online coding sandbox website (hx5g6s.codesandbox[.]io), which then further redirected the user to their phishing site hosted at IP address 134.209.186[.]170. We hypothesise that the multi-redirect approach initiated via the legitimate intermediate domains was employed to evade detection, confuse security analysis and blocking by the victim organisation’s spam filters.
Investigation into 134.209.186[.]170 revealed the IP address to be flagged as malicious and reported in multiple occasions in July 2023.[10] Furthermore, the same IP address (134.209.186[.]170) was noted to be historically hosting a phishing site resembling a OAuth-based login portal – a matching indicators of a credentials- or session-harvesting site leveraging the AiTM attack.[11]
Figure 3: 134.209.186[.]170 flagged malicious, hosting OAuth phishing site
The phishing site served as a proxy between the victim and the legitimate Microsoft login page. As the victim performed a legitimate login with multi-factor authentication (MFA), the attacker operated as an adversary-in-the-middle, using the captured OAuth access token to bypass MFA and obtain the victim’s valid logon session, resulting in a successful impersonation with the victim’s identity to the legitimate resources on M365, including Outlook, SharePoint, or other applications as accessible by the victim.[12]
Persistence and Defense Evasion
Subsequent to logging into the victim’s mailbox, the attacker (85.209.176[.]200) registered a new MFA authentication method and attempted to access the victim’s mailbox via a legitimate, external application (PerfectData Software) to establish persistent access. To maintain stealth, the attacker (147.124.209[.]237) modified mailbox rules to reroute emails to the victim’s RSS Subscriptions folder, altered email folder arrangements, and accessed two SharePoint files. As observed at each stage of their attack, the threat actor was logged using a different IP address for each activity to conceal their identity and location, and further evade detection.
Impact
Leveraging the compromised email account, the attacker (104.254.90[.]195) impersonated the victim’s identity to send two phishing emails. The first email was sent to an external contact, containing no contents. The second email was sent to an internal employee containing a fraudulent transaction invoice attachment, indicating an attempt to facilitate unauthorised fund transfers. At this stage, the victim organisation detected and blocked the fraudulent fund request attempt and proceeded to conduct containment measures to reset the compromised credentials and revoke the unauthorised login sessions. Based on our observations, we assessed that the malicious actor conducted the AiTM attack to perform the email account takeover for financially-motivated intent.
Uncovering the wide-scale AiTM campaign
Pivoting on the phishing email subject title “Completed: Complete Doc viaSign: #2,” we identified over 50 files uploaded between 3 July and 18 July 2023[13] which contained redirects to the same embedded URL (http://links[.]engage[.]ticketmaster[.]com). Paired with the observed existence of the phishing email structure since December 2021, this indicated that the victim was phished as a part of an ongoing opportunistic campaign which researchers have reported as a multi-stage AiTM phishing and business email compromise (BEC) campaign.
Potential Use of the Caffeine Phishing Toolkit
Pivoting on the malicious link, we assessed that the link was likely launched from a phishing toolkit to steal valid sessions. We observed that the malicious link leveraged the Ticketmaster domain to obfuscate the malicious payload to bypass mail detection rules and deliver malicious payloads via browser redirects to codesandbox.io.[14] Further pivoting on the Ticketmaster domain, we observed potential relations to a Phishing-as-a-Service (PhaaS) platform “Caffeine”, which provides subscribers phishing email templates with legitimate URLs to contain malicious payloads that operate to steal credentials (e.g. passwords, session tokens) through third-party sites such as codesandbox.io to evade detection.[15] [16] This is consistent with the observations in this phishing campaign and corresponding telemetry, as evidenced in Figure 4.
Figure 4: Phishing email redirects leveraging legitimate services to redirect to payloads hosted on codesandbox.io
Weaponising Evilginx and EvilProxy
Through deeper inspection, we discovered that the IP (134.209.186[.]170) address associated with the attackers were involved with several other phishing submissions submitted by other users. These submissions revealed that the domains used by the attackers serve pages that are consistent with our observed victim’s sessions stealing activities. The user emails passed in the web request were also observed to be consistent with other relevant schemes. Through these observations, we assessed with high confidence that the threat actors leveraged Evilginx and EvilProxy as a means to bypass two-factor authentication (2FA) and that these session stealing methods were the initial foothold that enabled the threat actor to gain access to the victim’s corporate resources.
Evilginx is an advanced AiTM attack framework capable of bypassing 2FA and intercepting legitimate session cookies.[17] This is a significant capability for attackers who can consequently conduct their phishing campaigns without capturing credentials, as attackers can impersonate victims without password knowledge to gain unauthorised access.
EvilProxy is a Phishing-as-a-Service (PhaaS) toolkit operating as a powerful proxy tool, redirecting victims’ web traffic through attacker-controlled servers.[18] The tool enables attackers to not only capture login credentials but also manipulate web content in real-time, presenting victims with malicious payloads or further deceptive content.
Conclusion
Based on our findings, we assessed with high confidence that the victim was compromised as part of a wide-scale, opportunistic social engineering campaign utilising Evilginx and EvilProxy to bypass MFA and subsequently perform a BEC attack via internal spear phishing. Due to the lack of information and reporting on the specific IOCs collected during the incident, and the use of widely adopted techniques and toolkits, we did not derive conclusive evidence to ascertain the specific threat actor responsible for the attack.
The two campaigns explored in this two-part blog series are just two of the many case studies supporting our observations that the cyber threat landscape is rapidly evolving, with threat actors increasingly shifting towards-identity based attacks. As organisations worldwide have prioritised efforts to harden their cybersecurity posture, we observe threat actors adapt by weaponising valid credentials to bypass defences under the guise of trusted identities. Furthermore, in both cases, we observed that threat actors are not only targeting passwords, but valid sessions to maintain persistent, elusive access to victim environments.
Whilst identity-based attacks are by no means novel, they continue to pose a significant threat to organisations given the complexity of distinguishing between legitimate and malicious use of authorised access. To effectively protect against identity-based attacks, it is vital that organisations and individuals enforce a layered defence strategy combining robust preventative measures with behavioural-based detection.
Join us on November 7 2023 for PwC’s annual Hack A Day Conference: Register Here
Recommendations
Preventive
- Implement sender authentication measures including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication (DMARC) to reduce susceptibility to phishing and spoofing attacks.
- Review existing Microsoft 365 configuration and update their security solutions and network devices (including external firewall, web proxies). For example, enforcing spam filters configurations to ensure all inbound emails are processed by spam filtering policies prior to delivery, reviewing email forwarding rules to identify any potential external malicious email forwarding, and restricting O365 access via geo-fencing to prevent authorised access or account brute-force over O365.
- While this incident highlighted how threat actors can potentially bypass multi-factor authentication (MFA), MFA remains a critical layer of protection against credential-abuse attacks. Best practices include:
- Ensuring MFA solutions restrict the number of failed authentication attempts, login attempts are monitored and alerted for anomalous activity, and enforcing strong password policy requirements.
- Leveraging features such as conditional access to setup session timeouts or block sign-ins from illegitimate access to the resources by third party devices, or overseas where applicable, in combination with features such as Mobile Device Management (MDM).
- Enhance business security controls by establishing procedures for financial transactions and their respective handling procedures. For example, automatic bank notifications for outbound transaction verifications and mandatory out-of-band verifications of bank account changes.
- Regularly conduct user awareness training to educate employees on the latest social engineering techniques deployed, indicators to identify potentially malicious activity, and process for reporting suspicious activity.
- Organisations should conduct young domain monitoring to proactively uncover potential phishing campaigns targeting, or likely to target, your organisation.
Detective
- Monitor user account activity for email forwarding, excessive document downloads or deletions and excessive file sharing. Depending on the user (e.g. users operating within functions more likely to be targeted in phishing attacks, such as HR, Finance, C-Suite personnel), setup monitoring for specific activities, such as monitoring for the creation of mail rules that involve moving to folders to RSS.
- Establish behavioural-based detection rules that will expire tokens and disable sign in when suspicious account behaviour is detected. Indicators of suspicious behaviour could include access from abnormal geolocations and accessing servers not typically accessed by the user identity. Further, leverage features such as “risky sign-in” to receive notifications of suspicious authentication attempts and respond in-time to threats.
- We further advise organisations to establish an O365 mailbox rule to detect and block inbound/outbound traffic from the malicious IPs listed in our Indicators of Compromise (IoC) section.
MITRE ATT&CK TTPs Leveraged
We include the observed MITRE ATT&CK tactics and techniques from the campaign:
- T1589.002 – Gather Victim Identity Information: Email Addresses Resource Development
- T1584.004 – Compromise Infrastructure: Server
- T1588.002 – Obtain Capabilities: Tool
- T1566.002 – Phishing: Spear Phishing Link
- T1189 – Drive-by Compromise
- T1204.001 – User Execution: Malicious Link
- T1098.005 – Account Manipulation: Device Registration
Indicators of Compromise (IoCs)
We include the observed IoCs:
| IoC | Type | Description |
brad.hansen[@]joingreatlife[.]com | Email Sender | Email Sender of phishing email |
Completed: Complete Doc viaSign: #2 | Email Sender | Email Sender of phishing email |
hx5g6s.codesandbox[.]io | Domain | Online coding sandbox website |
lmo-halbacea.halbacea[.]com | Domain | Domain associated with phishing web server |
lmolmoworked-inc-docs-signedservices.remmellsp.]com | Domain | Domain associated with phishing web server |
134.209.186[.]170 | IP Address | IP Address of OAuth phishing web server, threat actor logon |
85.209.176[.]200 | IP Address | IP Address of threat actor logon, deliver phishing email, register Authenticator App and attempt to connection to external application “PerfectData Software” |
147.124.209[.]237 | IP Address | IP Address of threat actor logon, create new inbox rule |
51.195.198[.]33 | IP Address | IP Address of threat actor logon, access SharePoint files |
104.254.90[.]195 | IP Address | IP Address of threat actor logon, deliver phishing email, create new inbox rule |
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.