A wave of data breaches is spreading between organisations – cut off the phishing
Email accounts of Finnish organisations are being hijacked through a widely-spread phishing campaign. Criminals have been phishing the usernames and passwords of employees via email and scam pages, using the credentials to log in to Microsoft 365 email systems. The hijacked accounts are used to send new phishing messages both within the organisation and to other organisations.
The NCSC-FI has received dozens of reports on breached Microsoft accounts and phishing messages that have been sent from the accounts. Through data breaches the attacker has gained access to accounts and to emails connected to those accounts. The NCSC-FI does not have any information pointing to that the data breaches would have led to any lateral movement within the organisation's systems. However, the account breaches exposes to other risks concerning information security violations.
The progression of the information security violation
- The attacker sends phishing messages from the breached user accounts via email to previous contacts of the user account. The content of the phishing messages has varied.
- The attacker may reuse the data breach victim’s previously sent email messages, adding a link to a phishing site. In many cases, the phishing message looks like a secure email message. The message has been faked to look like a commonly used secure email, but the link to the secure email service has been changed so that it leads to a site in possession of the criminals.
- In some cases, the attacker has sent real secure email messages. The phishing link has been included in the secure email message.
- The phishing sites have used advanced adversary-in-the-middle automation (AitM) which can in some cases bypass multi-factor authentication (MFA). More information on bypassing MFA using AitM.
- Very soon after successful phishing, the attacker tries to break into the user account. Login attempts have been registered around the world, also Finland. After successfully logging in, new phishing messages are sent from the account to the account’s contact list.
- In some cases, when the receiver of the phishing message has answered the email in Finnish, the attacker has sent a response in Finnish asking the receiver to open the link in the phishing message. If there is reason to believe that a message is fake, the authenticity of the message should be checked using some other communication channel. For example, you can check the authenticity of the email message by calling the sender.
Target group of the alert
Companies and other organisations who use Microsoft 365 products.
Possible solutions and restrictive measures
Preventive and restrictive measures
- Training and informing personnel
- If you suspect that a message that you have received is fake, don’t reply to the message. Instead, check the authenticity of the message in some other way (e.g. phone call, instant message).
- If you suspect that an email account has been hacked, check the forwarding rules in the administrator view and the user view.
- It is usually not enough to change the passwords of the hacked accounts if the criminals have been able to steal the session cookie.
- Check that the attacker hasn’t added their own MFA device to the accounts.
- Revoke all of the user’s access rights momentarily in order to close all open sessions; see https://learn.microsoft.com/fi-fi/azure/active-directory/enterprise-users/users-revoke-access (External link)
- Multi-factor authentication (MFA) has not stopped the criminals.
- Geoblocking the logins is not necessarily enough to limit the incident. Traffic is also circulated through Finland.
- Adopting Conditional Access can be effective.
- In some previous phishing campaigns, the hacked accounts have been used to install the emClient application (Azure AD enterprise application) that has been used to forward phishing messages.
- Good instructions: https://learn.microsoft.com/en-us/microsoftteams/manage-apps#allow-or-block-apps (External link)
Report the matter to the police and to the NCSC-FI
The current campaign is quite widely spread and several organisations have been targeted with successful data breaches. Especially the fact that successful data breaches can be exploited for further breaches increases the importance of open and fast sharing of information. We encourage everyone who have been targeted by the campaign to actively report their observations to the NCSC-FI. The NCSC-FI spreads the information forward within their cooperation networks. By sharing information regarding detected incidents, we can develop defences together and prevent further data breaches from happening.
A data breach or an attempted data breach should be reported to the police. It is also good to report the incidents to the NCSC-FI. When sending a report to the NCSC-FI, you can add an example of the phishing message and information on the effects of the incident for the organisation.
The alert is no longer valid (8 Nov 2023).