Field Effect discovers M365 adversary-in-the-middle campaign

Update (July 9, 2024)

Thanks to a Reddit user who provided additional IoCs, we were able to obtain screenshots of the phishing domains leveraged in this campaign.  

The attack starts with the target receiving an email from a legitimate, but compromised account that includes a link to https://live.dot[.]vu/p/mccpppo/flipbook-start-with-pdf/, which leads to the following lure:

Image 1: Screenshot of phishing domain 

When the target clicks on this lure, they are redirected to the Cloudflare hosted URL https://8ex.unceridefu[.]com/cY2tCmX2/. 

Image 2: Screenshot of Cloudflare verification before final fake login site is presented.

Once the target verifies they are human, the following fake Microsoft login page is presented:

Image 3: Screenshot of fake Microsoft login site

Original Post:

During a cursory analysis of telemetry related to Microsoft 365 (M365) authentication attempts from unexpected ISPs, Field Effect noticed that the user agent string ‘axios/1.7.2’ was associated with suspicious attempts to log in to various user accounts.

Although Field Effect MDR customers are automatically alerted to this type of suspicious activity, we eager analysts couldn’t help but dig deeper into this unfamiliar user agent string with the goal of discovering a new trend being used to facilitate business email compromise (BEC) attacks.

‘Axios’ user agent string

According to its website, Axios is a promise-based HTTP client for browsers and node.js. It supports multiple features, including XMLHttpRequests from the browser and HTTP requests from node.js. Axios also supports the ability to intercept, transform, and cancel request and response data, which we will see the threat actor leverage later in this investigation.

While the app itself is legitimate, and easily downloaded from its GitHub repository, there is little reason for it to interact with M365 in the manner described above.

Image 4: Screenshot of Axios website (axios-http.com)

Upon further review, we observed that many of the login requests with an Axios user agent string originated from two ISPs: Hostinger International Limited and Global Internet Solutions LLC. These two ISPs have previously been flagged by Field Effect as suspicious due to their frequent abuse by threat actors, usually located in Russia.

Searching for all M365 login attempts from these two ISPs revealed the use of user agent strings associated with older versions of Axios, such as 1.6.8, and another user agent string used sparingly, ‘BAV2ROPC’, which is associated with a legacy Microsoft authentication protocol mostly used by threat actors to enable password spraying attacks.

Image 5: Example of M365 telemetry showing the ‘axios’, ‘BAV2ROPC’, and a seemingly normal user agent string.

We also observed requests that appeared to have legitimate user agent strings. However, further analysis revealed that this was the same user agent string used by the legitimate owner of the targeted account, which is now being used by the threat actor to make the authentication request appear more legitimate. More on this later.

At this point, we were confident we had discovered the previously unreported use of the Axios user agent string to facilitate business email compromise (BEC) attacks on our clients, similar to what has been reported by other researchers on the ‘AZURECLI/2.47.0’ and ‘BAV2ROPC’ user agent strings.

However, we knew there must be more to this story since it appeared that the threat actor was able to successfully log in to some accounts, despite MFA being enabled. This would have required some interaction with the user to obtain both the password and MFA key, tasks an Axios HTTP client is capable of.

Deciphering the attack chain

We zeroed in on a particular login attempt to decipher the wider attack chain. What we discovered is that the targeted user was making requests to some shady-looking domains just as the M365 login attempts occurred.

Image 6: PCAP logs of network activity at the time of the M365 login request

Additionally, the IP (172.64.80[.]1) to which these domains resolved was observed connecting to the target’s M365 login page.

Unfortunately, given the U.S. July 4 holiday, we have not yet been able to obtain the full URL that the targeted user would have followed. And, out of the three domains, only lsj.logentr[.]com currently returns any meaningful content—a default error string used by node.js, an environment in which Axios is capable of running. Curiously, this same default error string also appeared on the IP addresses logging in to the M365 accounts.

Image 7: Default node.js error string returned from lsj.logentr[.]com

Adversary-in-the-middle (AiTM) BEC

Based on experience and analyst intuition, we assess that we are looking at an adversary-in-the-middle (AiTM) BEC attack and that these URLs likely led to what appeared to be an M365 login page, but in fact was an Axios-based lookalike designed to harvest the target’s M365 credentials.

Once the target inputs their credentials and, if necessary, their MFA code, the Axios infrastructure captures and uses them, and possibly the session token, to log the victim into their M365 account, thus completing the AiTM BEC.

The user has no suspicions logging in to their account, meanwhile, the threat actor’s Axios-based infrastructure has logged their credentials for future exploitation.

So given this data, we can logically conclude that the threat actor isn’t just using Axios user agent strings to log in to random M365 accounts, but rather using it to proxy login requests from the legitimate account owner, likely a result of them interacting with a phishing email.

While the phishing domains could also have been served up via an infected website, we believe that it was more likely an email-borne attack since we observed that the user opened Outlook.exe right before the attack, which in turn opened the Edge browser, kicking off the requests to the shady phishing domains.

Image 8: Flow chart of Axios user agent string attack chain

It’s unclear why the threat actor did not consistently swap the Axios user agent string for the user’s when forwarding the login, since we did observe some instances where this was the case and Axios does have the ability to change its user agent string.

Using the target’s user agent string would make the request look much more legitimate, but we observed this sparingly. The threat actor may have only changed it when previous attempts using the Axios user agent string failed.

It’s also possible that the threat actor was not always able to capture the target’s user agent string via Axios, or it simply could have been a configuration issue.

Conclusion

Even though it is trivial for threat actors to mask or change the user agent string associated with their attacks, this case and many others show that some threat actors simply choose not to change it or forget to, making it easier for network defenders to detect and prevent certain BEC attacks.

Field Effect maintains an evergreen list of suspicious and malicious user agent strings that are constantly correlated against our telemetry, resulting in an alert or block when one is detected.

However, detecting and blocking connection requests based on the user agent string alone should not be considered an adequate security control in and of itself. Rather, it should be part of a larger detection regime that includes connections from suspicious IP addresses, ISPs, geographical areas, impossible travel, etc., all of which are employed by Field Effect MDR.

This case also reflects the importance of having a holistic view of an organization’s IT infrastructure – network, endpoint, and cloud – to enable the type of threat hunting used in this investigation. Without the ability to observe activity on the impacted hosts, it would have been much more difficult to independently identify the other infrastructure associated with the campaign.

Defending against BEC with Field Effect MDR

BEC attacks are a growing threat in today's digital landscape. In June 2023, the Federal Bureau of Investigation estimated that BEC attacks cost businesses $50 billion worldwide. They're stealthy and often slip through the cracks of traditional security measures. While large corporations often grab the headlines, small and medium businesses are increasingly in the crosshairs due to their often limited cybersecurity resources and defenses.

Tackling BEC calls for a comprehensive, agile, and proactive approach to cybersecurity. For example, Field Effect's MDR solution arms your business with the tools to outsmart BEC attackers at every turn:

• It detects and alerts you if suspicious inbox rules have been created on accounts, helping thwart attackers' attempts to siphon information covertly.
• It notifies you when someone registers potential typo-squatting domains for the domains you own.
• It monitors for authentication events to your user accounts from outside your company's service area or from low-reputation IPs.

Remember, the cost and effort for attackers to execute a BEC attack are minor compared to the damage they can cause. Field Effect MDR proactively protects and empowers your business to face and mitigate the threat. Book a demo today to fortify your business against the widest range of cyberattacks, including BEC.

Mitigation

There are several mitigation efforts network defenders can take to mitigate the risk posed by the BEC activity described above:

• Search logs for login attempts using the IoCs listed below.
• Log impacted accounts out of all instances and rotate their credentials.
• Employ MFA on all accounts.
• Provide phishing awareness training to all employees to assist them in scrutinizing all unsolicited messages sent via email, text, or social media, especially when those messages contain a link or attachment.
• Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign.

For more information regarding BEC attacks and how to prevent them feel free to check out the following Field Effect blogs:

• What is business email compromise?
• How to spot business email compromise

Indicators of Compromise

User Agent Strings:

Hosting Providers:

Hostinger International Limited (AS47583)
Global Internet Solutions LLC (AS207713)

Phishing Domains:

IP Addresses:

141.98.233[.]86
154.56.56[.]200
162.213.251[.]86
172.64.80[.]1
194.164.76[.]149
212.18.104[.]107
212.18.104[.]108
212.18.104[.]109
212.18.104[.]7
212.18.104[.]78
212.18.104[.]79
212.18.104[.]80
212.18.104[.]90
2a02:4780:10[:]5be5::1
2a02:4780:10[:]86a6::1
2a02:4780:10[:]b082::1
2a02:4780:12[:]318a::1
2a02:4780:12[:]423e::1
2a02:4780:8:1311:0:1a7e[:]ec58:2
2a02:4780:c[:]412f::1
2a02:4780:c[:]7c34::1
54.186.238[.]27
62.133.61[.]17
62.133.61[.]18
72.68.160[.]230
92.118.112[.]53

** As of September 24, the owners of this domain have indicated that the threat actor's use of this infrastructure has been mitigated.