The scam started in Sept. 2021 and attackers managed to
Microsoft has identified a large-scale phishing campaign that targeted over 10,000 organizations since Sept. 2021 in a bid to steal large sums of money.
As Ars Technica reports(Opens in a new window), the campaign uses an adversary-in-the-middle (AiTM) technique to insert a proxy site between the account of an employee and the work server they are trying to connect to. The attacker-controlled site is accessed via an HTML attachment in a phishing email.
When the user unknowingly enters their credentials into the proxy site, it relays them to the real work server, completes the user authentication for Outlook online, then grabs the session cookie to ensure the authentication remains active and they can access the employee's email account
multifactor authentication.