One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8615042 |
| Date de publication | 2024-11-20 22:24:05 (vue: 2024-11-20 23:08:26) |
| Titre | AiTM Phishing, Hold the Gabagool: Analyzing the Gabagool Phishing Kit |
| Texte | ## Snapshot TRAC Labs researchers released a report detailing phishing campaigns using a phishing kit, dubbed "Gabagool," targeting corporate and government employees. ## Description The infection chain begins when an attacker compromises a user\'s email account and begins distributing phishing emails to other employees. The phishing emails contain fake document images or QR codes that, when clicked or scanned, redirect the user to a legitimate file-sharing platform such as SharePoint, Box, or SugarSync. Once at the file-sharing platform, users are again prompted to view or download a document and redirected to another landing page, hosted on a Cloudflare R2 bucket. The Gabagool kit uses AES encryption to hide its operations, including communication with its command-and-control server. Credential harvesting occurs on landing pages, with stolen data sent to an encrypted server. The phishing framework targets enterprise and government data as the server performs validations so only organizational domains are accepted while email addresses from domains like outlook\[.\]com and hotmail\[.\]com are rejected. The framework also adapts to user authentication settings, including multifactor authentication, by presenting options like phone app notifications or SMS codes. ## Recommendations - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo) merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically [identify and block](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen) malicious websites, including those used in this phishing campaign. - [Require multifactor authentication (MFA).](https://learn.microsoft.com/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication)While AiTM phishing attempts to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. - Leverage more secure implementations such as FIDO Tokens, or [Microsoft Authenticator](https://www.microsoft.com/security/mobile-authenticator-app) with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking. - For more granular control, enable conditional access policies. [Conditional access](https://learn.microsoft.com/entra/identity/conditional-access/overview) policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements. - Implement [continuous access evaluation](https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation). - Turn on [Safe Links](https://learn.microsoft.com/defender-office-365/safe-links-about) and [Safe Attachments](https://learn.microsoft.com/defender-office-365/safe-attachments-about) for Office 365. - Enable [Zero-hour auto purge (ZAP)](https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode wor |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© /aitm 2024 2024** 365 365/admin/security 365/safe 365/security/defender 365/security/defender/microsoft 365/zero 531f5bbaf0e4 about accepted access access/concept access/overview accessed account acquired across action adapts additional address addresses advanced aes again aitm alert alerts all already also among analyzing another anti antivirus any app are artifacts assets associated attachments attacker attacks attempts authentication authenticator auto automated automatically avoid based been begins behind block blocks box breach breaches browsers bucket campaign campaigns can center centralizing chain circumvent clicked cloud cloudflare code codes com com/@traclabs com/defender com/deployedge/microsoft com/entra/identity/conditional com/microsoft com/security/mobile com/windows/security/threat command communication compliance/set compliant compromises conditional configure contain content continuous control copyright corporate cover credential credentials data defender defense delivered description detailing detect detected detection device devices distributing distribution document does domains download driven dubbed edge edr educate effective email emails employees enable enabling encourage encrypted encryption endpoint endpoint/automated endpoint/configure endpoint/edr endpoint/mtd enforced enterprise equivalent essential evaluate evaluation even evolving exploits factor fake fido file first framework from full gabagool gabagool: government granular group harvesting have hide highly hold host hosted hotmail hour https://learn https://medium https://www identifies identify identities identity images immediate implement implementation implementations incident including incoming infection information ins intelligence invest investigation investigations its jacking kit labs landing learning legitimate let leverage like links location machine mail mailboxes majority malicious malware management mdo membership messages methods mfa microsoft mobile mode monitor more multi multifactor neutralize new newly non not notifications occurs office once only on operations options organizational organizations other others outlook overview page pages part passive passkey performs permission phishing phone pillar platform policies post presenting product prohibited prompted protect protection protection/microsoft protections purge quarantine rapidly recommendations redirect redirected reducing references rejected released remains remediate remediation report reproduction requests require requirements researchers reserved resolve response response retroactively rights risks run running safe scam scanned scenes secure security sent server settings sharepoint sharing sight sign signals significantly sim site sites smartscreen smartscreen/microsoft sms snapshot solutions that spam status stolen stopping such sugarsync support suspicious take targeting targets techniques telephony themselves thereof those threat threats tokens tools trac trusted turn unknown use used user users uses using validations variants variety view visited volume web websites when which without works written your zap zero in malicious merges so |
| Tags | Spam Malware Tool Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.