A new type of phishing attack has recently been seen in the wild, and what makes it unique among phishing attacks is that it leverages real-time Microsoft Active Directory validation of stolen credentials. In this article I will provide a brief explanation of how the attack works, and then discuss why this particular attack is so significant and what it may mean for our organizations going forward.
Phishing attacks that are designed to steal credentials are really nothing new. They’ve been around for years. There are any number of variations in the ways that these types of attacks work. At a high level, though, victims typically receive an email message containing a link to a site that is meant to mimic a legitimate website. The site’s domain name may be misspelled or otherwise obfuscated, but the message is designed to trick recipients into thinking that the link is legitimate. When users click on the link, they are taken to a screen that asks for a username and password. This screen is often designed to look like something that the victims will be familiar with, such as the Microsoft 365 login page.
At this point, victims enter their credentials, which are added to a credential harvesting database. The site might then silently redirect victims to a legitimate login page in hopes that they will simply think they entered their credentials incorrectly and won’t realize that their credentials were just stolen.
Although this particular attack method is effective, it has at least one problem (from the perspective of the attacker): There is no way of knowing if the credentials users entered are good. Users could accidentally mistype their passwords, or they might old passwords that have since been changed.
The phishing attack that was recently seen in the wild–like other phishing attacks designed to expand the threat vector–was designed to overcome this limitation. After baiting victims into entering a set of credentials, the malicious website leveraged a publicly available API and performed real-time credential validation within Azure Active Directory. In other words, the attacker was able to find out right away whether credentials were good.
There is strong evidence to suggest that the attack was highly targeted, rather than being random. At any rate, it is difficult to deny the attack’s significance. In fact, there are a few things about this attack that really stick out in my mind.
First, even though this particular attack was targeted, there is no reason why it couldn’t be used on a more random basis. If a user authenticates by using an email address and password, the user’s email address could be used to determine the name of the domain that holds the user’s credentials. It would then be relatively easy to leverage the same API that was used in the recent attack to validate the credentials submitted by the user (assuming that the organization uses Azure AD).
A bigger worry for me is that if this type of attack could be made to work at scale, it could change the way that passwords are sold on the dark web.
Consider for a moment the way spammers operated roughly 15 years ago. Back then, spammers were creating massive lists of email addresses and selling the lists to other spammers. Spammers would use various mechanisms to find out which recipients had actually opened spam emails because the act of opening such a message proved that the email address was valid and that it belonged to someone who was inclined to open spam. As such, spammers sold these addresses at a premium price.
My guess is that in the not-too-distant future we will see hackers doing something similar with passwords. Passwords have been sold on the dark web for years, but an attacker with an entrepreneurial spirit could conceivably build a database of passwords that have been verified, so that those passwords could be sold at a premium price. The attacker could even go so far as to build a mechanism that allows customers to verify at the time of purchase that the passwords are still good.
The best thing that an organization can do to mitigate this type of attack is to move away from the use of passwords and adopt some other type of authentication. If that isn’t a realistic option, then consider taking more aggressive action against inbound messages. This might include automatically stripping links and attachments from messages arriving from the outside world.