TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Security Blog

Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise

Microsoft Defender Security Research Team and Microsoft Threat Intelligence · 2 days ago · Read original ↗

ATT&CK techniques detected

21 predictions
T1566.002Spearphishing Link
89%
"breaking the code : multi - stage ‘ code of conduct ’ phishing campaign leads to aitm token compromise phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effe…"
T1566.002Spearphishing Link
85%
"been “ issued through an authorized internal channel ” and that links and attachments had been “ reviewed and approved for secure access ”, reinforcing the email ’ s purported legitimacy. to further support the confidentiality of the supposed review, the end of each message conta…"
T1566.002Spearphishing Link
84%
"attack chain ultimately led to a legitimate sign - in experience that was part of an adversary ‑ in ‑ the ‑ middle ( aitm ) phishing flow, which allowed the attackers to proxy the authentication session and capture authentication tokens that could provide immediate account access…"
T1566.002Spearphishing Link
84%
"organization has established essential defenses and knows how to monitor and respond to threat activity. invest in user awareness training and phishing simulations. attack simulation training in microsoft defender for office 365, which also includes simulating phishing messages i…"
T1566.002Spearphishing Link
81%
"than 35, 000 users across over 13, 000 organizations in 26 countries, with majority of targets located in the united states ( 92 % ). the campaign did not focus on a single vertical but instead impacted a broad range of industries, most notably healthcare & life sciences ( 19 % )…"
T1566.002Spearphishing Link
80%
"users were initially directed to one of two attacker - controlled domains ( for example, acceptable - use - policy - calendly [. ] de or compliance - protectionoutlook [. ] de ). these landing pages displayed a cloudflare captcha, presented as a mechanism to validate that the use…"
T1556.006Multi-Factor Authentication
74%
"phishing sites, scam sites, and sites that host malware. enable password - less authentication methods ( for example, windows hello, fido keys, or microsoft authenticator ) for accounts that support password - less. for accounts that still require passwords, use authenticator app…"
T1566.002Spearphishing Link
69%
"threats found in customer environments. threat overview profile : adversary - in - the - middle credential phishing threat overview profile : evolving phishing threats microsoft security copilot customers can also use the microsoft security copilot integration in microsoft defend…"
T1111Multi-Factor Authentication Interception
62%
"users were initially directed to one of two attacker - controlled domains ( for example, acceptable - use - policy - calendly [. ] de or compliance - protectionoutlook [. ] de ). these landing pages displayed a cloudflare captcha, presented as a mechanism to validate that the use…"
T1557.001Name Resolution Poisoning and SMB Relay
52%
"indicating that verification was successful and that their “ case ” was being prepared. following these steps, users were redirected to a third site hosting the final stage of the attack. analysis of the underlying code indicates that the final destination varied depending on whe…"
T1566Phishing
50%
"breaking the code : multi - stage ‘ code of conduct ’ phishing campaign leads to aitm token compromise phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effe…"
T1566Phishing
48%
"attack chain ultimately led to a legitimate sign - in experience that was part of an adversary ‑ in ‑ the ‑ middle ( aitm ) phishing flow, which allowed the attackers to proxy the authentication session and capture authentication tokens that could provide immediate account access…"
T1111Multi-Factor Authentication Interception
45%
"attack chain ultimately led to a legitimate sign - in experience that was part of an adversary ‑ in ‑ the ‑ middle ( aitm ) phishing flow, which allowed the attackers to proxy the authentication session and capture authentication tokens that could provide immediate account access…"
T1598Phishing for Information
44%
"- powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports. customers can also deploy ai agents, including the following microsoft security copilot agen…"
T1566.001Spearphishing Attachment
44%
"been “ issued through an authorized internal channel ” and that links and attachments had been “ reviewed and approved for secure access ”, reinforcing the email ’ s purported legitimacy. to further support the confidentiality of the supposed review, the end of each message conta…"
T1528Steal Application Access Token
44%
"latest security research from the microsoft threat intelligence community, check out the microsoft threat intelligence blog. to get notified about new publications and to join discussions on social media, follow us on linkedin, x ( formerly twitter ), and bluesky. to hear stories…"
T1528Steal Application Access Token
43%
"indicating that verification was successful and that their “ case ” was being prepared. following these steps, users were redirected to a third site hosting the final stage of the attack. analysis of the underlying code indicates that the final destination varied depending on whe…"
T1598.002Spearphishing Attachment
38%
"been “ issued through an authorized internal channel ” and that links and attachments had been “ reviewed and approved for secure access ”, reinforcing the email ’ s purported legitimacy. to further support the confidentiality of the supposed review, the end of each message conta…"
T1557Adversary-in-the-Middle
37%
"attack chain ultimately led to a legitimate sign - in experience that was part of an adversary ‑ in ‑ the ‑ middle ( aitm ) phishing flow, which allowed the attackers to proxy the authentication session and capture authentication tokens that could provide immediate account access…"
T1557Adversary-in-the-Middle
33%
"users were initially directed to one of two attacker - controlled domains ( for example, acceptable - use - policy - calendly [. ] de or compliance - protectionoutlook [. ] de ). these landing pages displayed a cloudflare captcha, presented as a mechanism to validate that the use…"
T1566.003Spearphishing via Service
33%
"breaking the code : multi - stage ‘ code of conduct ’ phishing campaign leads to aitm token compromise phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effe…"

Summary

Microsoft Defender Research observed a large-scale credential theft campaign that exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains.

The post Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise appeared first on Microsoft Security Blog.