New Technique in Phishing Attack with Authentication APIs

Image Source:

A new technique for phishing attacks has been uncovered by researchers. Attackers are using authentication APIs to steal victims office365 credentials in real time. Using this technique hackers can steal the employee’s credentials as they enter them into the landing page. 

Prashanth Arun, head of Data Science at Armorblox, said that authentication APIs are used by apps and services on behalf to access their data. To use APIs office365 requires app registration, but registrations require only an email address making them easy for attackers to leverage. 

Recently a phishing attack was spotted by researchers, in which the attacker used the authentication APIs to cross check the credentials of a senior executive at a large enterprise firm. They targeted the organization’s Azure Active Directory. 

Microsoft’s proprietary directory service, which allows administrators to manage permissions and access to network resources called Active Directory. The authentication APIs use Azure AD to provide authentication services.

Researchers with Armorblox said on Thursday, “During this phishing attack, access to this immediate feedback, allows the attacker to respond intelligently. The attacker is also immediately aware of a live compromised credential.”

The Phishing Email

The attack was first discovered targeting a senior executive at an unnamed company, which researchers say is an American brand named among the Top 50 most innovative companies in the world in 2019. The initial email sent to the employee had the subject line “ACH Debit Report,” mimicking an internal report, and was sent on Friday evening, when victims likely have their guard down, researchers said.

According to researchers, the targeted company had recently changed domains so the target’s public email address is different from the domain name used in his Active Directory login. Attackers were aware of this change, leading researchers to believe the campaign was highly targeted.

“The limited activity at the website hosting the phishing attack and the careful timing of the email to a Friday evening also suggests this is a carefully crafted attack,” researchers said. “Our estimates show there have been 120 odd visits to this website globally since the beginning of June. The sparse number shows that the phishing scams are likely targeted and not spray and pray.”

The phishing email told victims to: “Find enclosed Payment Remittance Report’ as of 7/11/2020 2:53:14 a.m. Thank you for your business!”and points to an attachment, which looks like a text file.

“Opening the attachment from Office 365 in a browser shows a website identical to the Office 365 sign on page. The username has been pre-entered. A non-standard message ‘Because you’re accessing sensitive info, you need to verify your password’ is noted,” said researchers.