The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting business users of Microsoft email services have also set their sights on Google Workspace users.
“This campaign specifically targeted CEOs and other senior managers of various organizations that use [Google Workspace]”, Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.
The AitM phishing attacks reportedly began in mid-July 2022, following a modus operandi similar to a social engineering campaign designed to siphon users’ Microsoft credentials and even bypass multi-factor authentication.
Advertising
The low-volume Gmail AiTM phishing campaign also involves the use of the CEO’s compromised emails to carry out further phishing attacks by the threat actor, with the attacks also using multiple compromised domains as URL forwarders middleman to get the victims to the landing page.
Chains of attack involve sending password expiry emails to potential targets that contain an embedded malicious link to supposedly “extend your access”, pressing which causes the recipient to open Google Ads and Snapchat redirect pages to load phishing page URL.
Besides open redirect abuse, a second variant of the attacks relies on infected sites that host a Base64-encoded version of the next stage redirector and the victim’s email address in the URL. This intermediate redirector is a JavaScript code that points to a Gmail phishing page.
In one case highlighted by Zscaler, the redirect page used in the Microsoft AiTM phishing attack on July 11, 2022 was updated to direct the user to a Gmail AiTM phishing page, connecting the two campaigns to the same threat actor.
“There was also an overlap of infrastructure, and we even identified several instances in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure,” the researchers said.
Findings indicate that multi-factor authentication safeguards alone cannot provide protection against advanced phishing attacks, which force users to review URLs before entering credentials and refrain from opening attachments or clicking on links in emails sent from untrusted or unknown sources.