In the report, once threat actors compromised the account, they sent a “Mircosoft-365” phishing campaign to the victim’s contact list. The phishing email uses “Mircosoft-365” branding instead of the legitimate “Microsoft 365.” The email is not sent from a Microsoft domain, but appears to use the Mailchimp email marketing platform, as indicated at the bottom of the email. The email purports to be a “Held Message Notice” informing the target that a certain number of messages have been blocked from being delivered and to review and release these messages by clicking the “View Task Messages” button. If clicked, the target is redirected multiple times to a phishing page that harvests account credentials. Links used in this campaign include hxxps://d8yru9hbb[.]cc[.]rs6[.<wbr />]net displaying a Constant Contact page and the “neidebaertschi” domain name with a “.ch” top-level domain (TLD) displaying a supposed Microsoft “Security Verification” page. This campaign may use advanced evasion tactics to ensure malicious webpages are displayed only in non-sandboxed, real-user environments.
Recommendations
- If suspicious MFA pop-up authentication requests are received, change the account password immediately to prevent further login attempts and MFA push notifications.
- For organizations, implement monitoring and warning mechanisms to detect suspicious MFA prompt activity. Limit the number of MFA authentication requests per user within a certain period of time, if this option is available. If thresholds are exceeded, temporarily lock the account and alert the domain administrator.
- Exercise caution with communications from known senders or legitimate platforms.
- Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
- Type official website URLs into browsers manually and only submit sensitive information on official websites.
- Keep systems and browsers up to date.
- Report malicious cyber activity to the NJCCIC and the FBI's IC3.
