New Device Registration Tactic

Research from Microsoft identified threat activity with attackers taking advantage of users’ accounts with unregistered devices for MFA. The attackers are then utilizing those accounts to register their devices onto the target organization's Azure Active Directory. The threat occurs in two waves. The first involving a phishing campaign aiming to steal credentials and add an outlook rule. the outlook rule has a consistent pattern with over one hundred identified mailboxes having specific rule entry. The second wave utilizes the stolen credentials to gain access and expand their foothold in the target's environment. Targeted organizations were located mostly in Australia, Singapore, Indonesia, and Thailand.