“Only then the desired credentials are acquired, and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded),” Mandiant said.
These campaigns were carried out in three subsequent steps, Mandiant added. It starts with the victim being tricked into clicking on malicious links with lures that include content related to Iran and other foreign affairs topics. Once clicked the links send victims to fake websites posing as legitimate services, news outlets, and NGOs. Finally, the victims are redirected to fake Microsoft, Google, or Yahoo login pages where harvesting is then carried out.
“APT42 enhanced their campaign credibility by using decoy material inviting targets to legitimate and relevant events and conferences,” the blog added. “In one instance, the decoy material was hosted on an attacker-controlled SharePoint folder, accessible only after the victim entered their credentials. Mandiant did not identify malicious elements in the files, suggesting they were used solely to gain the victim’s trust.”
To avoid detection, the threat actor deployed multiple defense evasion techniques, that included relying on in-built and publicly available tools of the Microsoft 365 environment, using anonymized infrastructure, and masquerading as the victim’s organization while exfiltrating files to OneDrive.
Spear Phishing for dropping malware
In addition to the credentials harvesting campaigns, the threat actor was observed deploying two custom backdoors. TAMECAT, a PowerShell toehold that can execute arbitrary PowerShell or C# commands, was identified by Mandiant in March 2024 and dropped by phishing through malicious macro documents.
“Mandiant previously observed TAMECAT used in a large-scale APT42 spear-phishing campaign targeting individuals or entities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world,” the blog added.