For six years, a phishing campaign remained unnoticed, the targets for which were users of the obsolete service of the Unified Microsoft entrance: more than 150 organizations in the fields of education, health, public administration and technological sphere. Attackers rely not on the technical vulnerability of systems, but on methods of social engineering.
Image source: BoliviaInteligente / unsplash.com
Cybercriminals send fisching letters to potential victims allegedly from the security service. By clinging to the link from such a letter, the user of the corporate system falls on the fake entry page in Active Directory Federal Services (Adfs), on which introduces its accounting data and multifactorial authentication code. The scheme has been working almost unchanged since 2018, they said in the company of Abnormal Security; There is no concrete threat – the campaign is associated with several financially motivated groups of cybercriminals, which can sell stolen accounts.
Most of the victims are in North America, Europe and Australia. 52.8 %of attacks came to educational organizations, 14.8 %to health care, 12.5 %for state institutions. Microsoft called on customers to abandon the Adfs service in favor of a more reliable Entra ID, but for financial and technical reasons, this is not always possible: outdated systems compatible only with ADFS, continue to be used in many organizations, and the update to Entra will require comprehensive deployment of new tools.
However, similar phishing attacks are possible with Entra, noted in Abnormal Security. A more effective way to protect, according to experts, is a reduction in the validity of tokens and codes of multifactorial authentication – this will limit the possibility of using stolen data for attackers. The blocking of well -known domains associated with the campaign – cybercriminals rely on the same infrastructure for years.