The National Cyber Security Centre (NCSC) has issued an alert that a phishing campaign targeting New Zealand organisations is underway currently. According to the NCSC, compromised user accounts are used to send the phishing emails. These could arrive from contacts people know or trust, and arrive via Microsoft OneDrive and SharePoint sharing invitations.
Clicking on the invitation redirects users to malicious websites set up to harvest credentials, or session tokens. The latter are small data files, part of the authentication and authorisation chain to access web resources. They are issued after a user has presented credentials and, if set by system policy, multi factor authentication (MFA).
An attacker that possesses a victim's session token and replays it unnoticed can do anything the user in question is authorised to do.
For Microsoft-based systems such as the Azure Active Directory that is an OAuth 2.0 identity management platform, the issued session tokens contain information such as usernames, source Internet Protocol addresses, MFA and any privileges users have.
Session tokens can be captured by attackers inserting themselves between users and the applications they are accessing, which also captures credentials.
Malware on compromised devices can also be used by attackers to steal credentials and session cookies/tokens.
The cyber security centre advises organisations to monitor for phishing activity, and to remind staff to be vigilant of any sharing links they receive. This is particularly for ones that arrive from external domains.
Any additional security controls that can be applied to mitigate the phishing activity should also be considered, NCSC advised.
The New Zealand Computer Emergency Response Team (CERT NZ) operates a Phishing Disruption Service; this provides phishing specific indicators that CERT NZ verifies and distributes to subscribers via an application programming interface (API).
NCSC is part of New Zealand's Government Communications Security Bureau, one of the country's intelligence agencies.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.