Blog
/

Email

/
March 29, 2023

Email Security & Future Innovations: Educating Employees

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
29
Mar 2023
As online attackers change to targeted and sophisticated attacks, Darktrace stresses the importance of protection and utilizing steady verification codes.

In an escalating threat landscape with email as the primary target, IT teams need to move far beyond traditional methods of email security that haven’t evolved fast enough – they’re trained on historical attack data, so only catch what they’ve seen before. By design, they are permanently playing catch up to continually innovating attackers, taking an average of 13 days to recognize new attacks[1]

Phishing attacks are getting more targeted and sophisticated as attackers innovate in two key areas: delivery tactics, and social engineering. On the malware delivery side, attackers are increasingly ‘piggybacking’ off the legitimate infrastructure and reputations of services like SharePoint and OneDrive, as well as legitimate email accounts, to evade security tools. 

To evade the human on the other end of the email, attackers are tapping into new social engineering tactics, exploiting fear, uncertainty, and doubt (FUD) and evoking a sense of urgency as ever, but now have tools at their disposal to enable tailored and personalized social engineering at scale. 

With the help of tools such as ChatGPT, threat actors can leverage AI technologies to impersonate trusted organizations and contacts – including damaging business email compromises, realistic spear phishing, spoofing, and social engineering. In fact, Darktrace found that the average linguistic complexity of phishing emails has jumped by 17% since the release of ChatGPT.  

This is just one example of accelerating attack sophistication – lowering the barrier to entry and improving outcomes for attackers. It forms part of a wider trend of the attack landscape moving from low-sophistication, low-impact, and generic phishing tactics - a 'spray and pray' approach - to more targeted, sophisticated, and higher impact attacks that fall outside of the typical detection remit for any tool relying on rules and signatures. Generative AI and other technologies in the attackers' toolkit will soon enable the launch of these attacks at scale, and only being able to catch known threats that have been seen before will no longer be enough.

Figure 1: The progression of attacks and relative coverage of email security tools

In an escalating threat landscape with email as the primary target, the vast majority of email security tools haven't evolved fast enough – they’re trained on historical attack data, so only catch what they’ve seen before. They look to the past to try and predict the next attack, and are designed to catch today’s attacks tomorrow.

Organizations are increasingly moving towards AI systems, but not all AI is the same, and the application of that AI is crucial. IT and security teams need to move towards email security that is context-aware and leverages AI for deep behavioral analysis. And it’s a proven approach, successfully catching attacks that slip by other tools across thousands of organizations. And email security today needs to be more about just protecting the inbox. It needs to address not just malicious emails, but the full 360-degree view of a user across their email messages and accounts, as well as extended coverage where email bleeds into collaboration tools/SaaS. For many organizations, the question is not if they should upgrade their email security, but when – how much longer can they risk relying on email security that’s stuck looking to the past?  

The Email Security Industry: Playing Catch-Up

Gateways and ICES (Integrated Cloud Email Security) providers have something in common: they look to past attacks in order to try to predict the future. They often rely on previous threat intelligence and on assembling ‘deny-lists’ of known bad elements of emails already identified as malicious – these tools fail to meet the reality of the contemporary threat landscape. Some of these tools attempt to use AI to improve this flawed approach, looking not only for direct matches, but using "data augmentation" to try and find similar-looking emails. But this approach is still inherently blind to novel threats. 

These tools tend to be resource-intensive, requiring constant policy maintenance combined with the hand-to-hand combat of releasing held-but-legitimate emails and holding back malicious phishing emails. This burden of manually releasing individual emails typically falls on security teams, teams that are frequently small with multiple areas of responsibility. The solution is to deploy technology that autonomously stops the bad while allowing the good through, and adapts to changes in the organization – technology that actually fits the definition of ‘set and forget’.  

Becoming behavioral and context-aware  

There is a seismic shift underway in the industry, from “secure” email gateways to intelligent AI-driven thinking. The right approach is to understand the behaviors of end users – how each person uses their inbox and what constitutes ‘normal’ for each user – in order to detect what’s not normal. It makes use of context – how and when people communicate, and with who – to spot the unusual and to flag to the user when something doesn’t look quite right – and why. Basically, a system that understands you. Not past attacks.  

Darktrace has developed a fundamentally different approach to AI, one that doesn’t learn what’s dangerous from historical data but from a deep continuous understanding of each organization and their users. Only a complex understanding of the normal day-to-day behavior of each employee can accurately determine whether or not an email actually belongs in that recipient’s inbox. 

Whether it’s phishing, ransomware, invoice fraud, executive impersonation, or a novel technique, leveraging AI for behavioral analysis allows for faster decision-making – it doesn’t need to wait for a Patient Zero to contain a new attack because it can stop malicious threats on first encounter. This increased confidence in detection allows for more a precise response – targeted action to remove only the riskiest parts of an email, rather than taking a broad blanket response out of caution – in order to reduce risk with minimal disruption to the business. 

Returning to our attack spectrum, as the attack landscape moves increasingly towards highly sophisticated attacks that use novel or seemingly legitimate infrastructure to deliver malware and induce victims, it has never been more important to detect and issue an appropriate response to these high-impact and targeted attacks. 

Fig 2: How Darktrace combined with native email security to cover the full spectrum of attacks

Understanding you and a 360° view of the end user  

We know that modern email security isn’t limited to the inbox alone – it has to encompass a full understanding of a user’s normal behavior across email and beyond. Traditional email tools are focused solely on inbound email as the point of breach, which fails to protect against the potentially catastrophic damage caused by a successful email attack once an account has been compromised.    

Fig 3: A 360° understanding of a user reveals their digital touchpoints beyond Microsoft

In order to have complete context around what is normal for a user, it’s crucial to understand their activity within Microsoft 365, Google Workspace, Salesforce, Dropbox, and even their device on the network. Monitoring devices (as well as inboxes) for symptoms of infection is crucial to determining whether or not an email has been malicious, and if similar emails need to be withheld in the future. Combining with data from cloud apps enables a more holistic view of identity-based attacks. 

Understanding a user in the context of the whole organization – which also means network, cloud, and endpoint data – brings additional context to light to improve decision making, and connecting email security with external data on the attack surface can help proactively find malicious domains, so that defenses can be hardened before an attack is even launched.

Educating and Engaging Your Employees

Ultimately, it’s employees who interact with any given email. If organizations can successfully empower this user base, they will end up with a smarter workforce, fewer successful attacks, and a security team with more time on their hands for better, strategic work. 

The tools that succeed best will be those that can leverage AI to help employees become more security-conscious. While some emails are evidently malicious and should never enter an employee’s inbox, there is a significant grey area of emails that have potentially risky elements. The majority of security tools will either withhold these emails completely – even though they might be business critical – or let them through scot-free. But what if these grey-area emails could in fact be used as training opportunities?    

As opposed to phishing simulation vendors, behavioral AI can improve security awareness holistically throughout organizations by training users with a light touch via their own inboxes – bringing the end user into the loop to harden defenses.  

The new frontier of email security fights AI with AI, and organizations who lag behind might end up learning the hard way. Read on for our blog series about how these technologies can transform the employee experience, dynamize deployment, augment security teams and form part of an integrated defensive loop.    

[1] 13 days is the mean average of phishing payloads active in the wild between the response of Darktrace/Email compared to the earliest of 16 independent feeds submitted by other email security technologies.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Dan Fein
VP, Product

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
Trending blogs
1
Darktrace is Positioned as a Leader in the IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment
Dec 9, 2024
2
Cloud Security: Addressing Common CISO Challenges with Advanced Solutions
Nov 28, 2024
3
Preparing for 2025: Darktrace's Top 10 AI and Cybersecurity Predictions
Nov 3, 2024
4
Navigating Buying and Adoption Journeys for AI Cybersecurity Tools
Oct 15, 2024
5
How Darktrace won an email security trial by learning the business, not the breach
Oct 9, 2024

More in this series

Default blog image
Flexible Deployments for Enhanced Email Security
Default blog image
Boosting Security Posture with Email Integration
Default blog image
Employee-Conscious Email Security Solutions in the Workforce

Blog

/

January 10, 2025

/

Inside the SOC

Detecting and mitigating adversary-in-the-middle phishing attacks with Darktrace Services

Default blog imageDefault blog image

What is an Adversary-in-the-Middle Attack?

Threat actors are increasingly utilizing advanced phishing toolkits and techniques to carry out Adversary-in-the-Middle (AitM) attacks. These attacks involve the use of a proxy to a legitimate service, where the attacker’s webpage mimics the expected site. While the victim believes they are visiting the legitimate site, they are actually interacting with the attacker’s device, allowing the malicious actor to monitor all interactions and control the authenticated session, ultimately gaining access to the user’s account [1][2].

This blog will explore how Darktrace detected AitM techniques being leveraged in a Business Email Compromise (BEC) attack that used the widely used and trusted cloud storage service, Dropbox, for delivery. Dropbox’s popularity has made it a prime target for attackers to exploit in recent years. Threat actors can exploit the service for various malicious activities, including distributing malware and exposing sensitive information.

Attack Overview

In these types of AitM BEC attacks, recipients are often targeted with Dropbox-related emails, featuring subject headings like ‘FirstLast shared "Filename" with you,’ which suggest an individual is sharing an invoice-related attachment. These email subjects are common in such attacks, as threat actors attempt to encourage victims to access Dropbox links by masquerading them as legitimate files.

While higher priority users are, of course, targeted, the scope of these attacks remains broad. For instance, if a lower priority user is targeted by a phishing attack or their token is stolen, an attacker can still attempt BEC for further malicious intent and financial gain.

In October 2024, a Darktrace customer received a phishing email from a seemingly legitimate Dropbox address. This email originated from the IP, 54.240.39[.]219 and contained multiple link payloads to Dropbox-related hostnames were observed, inviting the user to access a file. Based on anomaly indicators and detection by Darktrace / EMAIL, Darktrace recognized that one of the payloads was attempting to abuse a legitimate cloud platform to share files or other unwanted material with the recipient.

Figure 1: Overview of the malicious email in the Darktrace / EMAIL console, highlighting Dropbox associated content/link payloads.

Following the recipient’s engagement with this email, Darktrace / IDENTITY identified a series of suspicious activities within the customer’s environment.

AitM attacks allow threat actors to bypass multi-factor authentication (MFA). Initially, when a user is phished, the malicious infrastructure captures both the user’s credentials and the token. This includes replaying a token issued to user that has already completed the MFA requirement, allowing the threat actor to satisfy the validity of the requirement and gain access to sensitive organizational resources. Darktrace is able to analyze user activity and authentication patterns to determine whether MFA requirements were met. This capability helps verify and indicate token theft via AitM.

Darktrace observed the associated user account making requests over Microsoft 365 from the IP 41.90.175[.]46. Given the unusual nature and rare geolocation based in Kenya, Africa, this activity did not appear indicative of legitimate business operations.

Figure 2: Geographical location of the SaaS user in relation to the source IP 41.90.175[.]46.

Further analysis using open-source intelligence (OSINT) revealed that the endpoint was likely associated with a call-back proxy network [3]. This suggested the presence of a network device capable of re-routing traffic and harvesting information.

Darktrace also detected that the same SaaS user was logging in from two different locations around the same time. One login was from a common, expected location, while the other was from an unusual location. Additionally, the user was observed registering security information using the Microsoft Authenticator app, indicating an attempt by an attacker to maintain access to the account by establishing a new method of MFA. This new MFA method could be used to bypass future MFA requirements, allowing the attacker to access sensitive material or carry out further malicious activities.

Figure 3: External sites summary for the SaaS account in relation to the source IP 13.74.161[.]104, observed with Registering Security Information.

Ultimately, this anomalous behavior was escalated to the Darktrace Security Operations Centre (SOC) via the Managed Detection & Response service for prompt triage and investigation by Darktrace’s SOC Analysts who notified the customer of strong evidence of compromise.

Fortunately, since this customer had Darktrace enabled in Autonomous Response mode, the compromised SaaS account had already been disabled, containing the attack. Darktrace’s SOC elected to extend this action to ensure the malicious activity remained halted until the customer could take further remedial action.

Figure 4: Attack timeline of observed activity, in chronological order; This highlighted anomalous SaaS events such as, MailItemsAccessed’, ‘Use of Unusual Credentials’, ‘User Registered Security Info’ events, and a ‘Disable User’ Autonomous Response action.

Conclusion

AitM attacks can play a crucial role in BEC campaigns. These attacks are often part of multi-staged operations, where an initial AitM attack is leveraged to launch a BEC by delivering a malicious URL through a trusted vendor or service. Attackers often attempt to lay low on their target network, sometimes persisting for extended periods, as they monitor user accounts or network segments to intercept sensitive communications.

In this instance, Darktrace successfully identified and acted against AitM techniques being leveraged in a BEC attack that used Dropbox for delivery. While Dropbox is widely used for legitimate purposes, its popularity has also made it a target for exploitation by threat actors, who have used it for a variety of malicious purposes, including delivering malware and revealing sensitive information.

Darktrace’s Security Operations Support service, combined with its Autonomous Response technology, provided timely and effective mitigation. Dedicated Security Operations Support analysts triaged the incident and implemented preventative measures, ensuring the customer was promptly notified. Meanwhile, Darktrace swiftly disabled the compromised SaaS account, allowing the customer to take further necessary actions, such as resetting the user’s password.

This case highlights the capabilities of Darktrace’s solutions, enabling the customer to resume normal business operations despite the malicious activity.

Credit to Justin Torres (Senior Cyber Analyst), Stefan Rowe (Technical Director, SOC) and Ryan Traill (Analyst Content Lead)

Appendices

References

1.    https://www.proofpoint.com/us/threat-reference/man-in-the-middle-attack-mitm

2.    https://thehackernews.com/2024/08/how-to-stop-aitm-phishing-attack.html

3.    https://spur.us/context/41.90.175.46

Darktrace Model Detections

Darktrace / NETWORK Model Alert(s):

SaaS / Compromise::SaaS Anomaly Following Anomalous Login

SaaS / Unusual Activity::Multiple Unusual SaaS Activities

SaaS / Compromise::Unusual Login and Account Update

SaaS / Compromise::Login From Rare Endpoint While User Is Active

SaaS / Access::Unusual External Source for SaaS Credential Use

SaaS / Email Nexus::Unusual Login Location Following Link to File Storage

SaaS / Access::MailItemsAccessed from Rare Endpoint

Darktrace/Autonomous Response Model Alert(s):

Antigena / SaaS::Antigena Suspicious SaaS Activity Block

List of Indicators of Compromise (IoCs)

(IoC - Type - Description)

41.90.175[.]46 – Source IP Observed with Suspicious Login Behavior

MITRE ATT&CK Mapping

(Technique Name - Tactic - ID - Sub-Technique of)

Cloud Accounts - DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS - T1078.004 - T1078

Email Accounts - RESOURCE DEVELOPMENT - T1586.002 - T1586

Cloud Service Dashboard - DISCOVERY - T1538

Compromise Accounts - RESOURCE DEVELOPMENT - T1586

Steal Web Session Cookie - CREDENTIAL ACCESS - T1539

Continue reading
About the author
Justin Torres
Cyber Analyst

Blog

/

January 2, 2025

/

Inside the SOC

A Snake in the Net: Defending Against AiTM Phishing Threats and Mamba 2FA

Default blog imageDefault blog image

What are Adversary-in-the-Middle (AiTM) phishing kits?

Phishing-as-a-Service (PhaaS) platforms have significantly lowered the barriers to entry for cybercriminals, enabling a new wave of sophisticated phishing attacks. Among the most concerning developments in this landscape is the emergence of Adversary-in-the-Middle (AiTM) phishing kits, which enhance traditional phishing tactics by allowing attackers to intercept and manipulate communications in real-time. The PhaaS marketplace offers a wide variety of innovative capabilities, with basic services starting around USD 120 and more advanced services costing around USD 250 monthly [1].

These AiTM kits are designed to create convincing decoy pages that mimic legitimate login interfaces, often pre-filling user information to increase credibility. By acting as a man-in-the-middle, attackers can harvest sensitive data such as usernames, passwords, and even multi-factor authentication (MFA) tokens without raising immediate suspicion. This capability not only makes AiTM attacks more effective but also poses a significant challenge for cybersecurity defenses [2].

Mamba 2FA is one such example of a PhaaS strain with AiTM capabilities that has emerged as a significant threat to users of Microsoft 365 and other enterprise systems. Discovered in May 2024, Mamba 2FA employs advanced AiTM tactics to bypass MFA, making it particularly dangerous for organizations relying on these security measures.

What is Mamba 2FA?

Phishing Mechanism

Mamba 2FA employs highly convincing phishing pages that closely mimic legitimate Microsoft services like OneDrive and SharePoint. These phishing URLs are crafted with a specific structure, incorporating Base64-encoded parameters. This technique allows attackers to tailor the phishing experience to the targeted organization, making the deception more effective. If an invalid parameter is detected, users are redirected to a benign error page, which helps evade automated detection systems [5].

Figure 1: Phishing page mimicking the Microsoft OneDrive service.

Real-Time Communication

A standout feature of Mamba 2FA is its use of the Socket.IO JavaScript library. This library facilitates real-time communication between the phishing page and the attackers' backend servers. As users input sensitive information, such as usernames, passwords, and MFA tokens on the phishing site, this data is immediately relayed to the attackers, enabling swift unauthorized access [5].

Multi-Factor Authentication Bypass

Mamba 2FA specifically targets MFA methods that are not resistant to phishing, such as one-time passwords (OTPs) and push notifications. When a user enters their MFA token, it is captured in real-time by the attackers, who can then use it to access the victim's account immediately. This capability significantly undermines traditional security measures that rely on MFA for account protection.

Infrastructure and Distribution

The platform's infrastructure consists of two main components: link domains and relay servers. Link domains handle initial phishing attempts, while relay servers are responsible for stealing credentials and completing login processes on behalf of the attacker. The relay servers are designed to mask their IP addresses by using proxy services, making it more difficult for security systems to block them [3].

Evasion Techniques

To evade detection by security tools, Mamba 2FA employs several strategies:

  • Sandbox Detection: The platform can detect if it is being analyzed in a sandbox environment and will redirect users to harmless pages like Google’s 404 error page.
  • Dynamic URL Generation: The URLs used in phishing attempts are frequently rotated and often short-lived to avoid being blacklisted by security solutions.
  • HTML Attachments: Phishing emails often include HTML attachments that appear benign but contain hidden JavaScript that redirects users to the phishing page [5].

Darktrace’s Coverage of Mamba 2FA

Starting in July 2024, the Darktrace Threat Research team detected a sudden rise in Microsoft 365 customer accounts logging in from unusual external sources. These accounts were accessed from an anomalous endpoint, 2607:5500:3000:fea[::]2, and exhibited unusual behaviors upon logging into Software-as-a-Service (SaaS) accounts. This activity strongly correlates with a phishing campaign using Mamba 2FA, first documented in late June 2024 and tracked as Mamba 2FA by Sekoia [2][3].

Darktrace / IDENTITY  was able to identify the initial stages of the Mamba 2FA campaign by correlating subtle anomalies, such as unusual SaaS login locations. Using AI based on peer group analysis, it detected unusual behavior associated with these attacks. By leveraging Autonomous Response actions, Darktrace was able to neutralize these threats in every instance of the campaign detected.

On July 23, a SaaS user was observed logging in from a rare ASN and IP address, 2607:5500:3000:fea::2, originating from the US and successfully passed through MFA authentication.

Figure 2: Model Alert Event Log showing Darktrace’s detection of a SaaS user mailbox logging in from an unusual source it correlates with Mamba 2FA relay server.

Almost an hour later, the SaaS user was observed logging in from another suspicious IP address, 45.133.172[.]86, linked to ASN AS174 COGENT-174. This IP, originating from the UK, successfully passed through MFA validation.

Following this unusual access, the SaaS user was notably observed reading emails and files that could contain sensitive payment and contract information. This behavior suggests that the attacker may have been leveraging contextual information about the target to craft further malicious phishing emails or fraudulent invoices. Subsequently, the user was detected creating a new mailbox rule titled 'fdsdf'. This rule was configured to redirect emails from a specific domain to the 'Deleted Items' folder and automatically mark them as read.

Implications of Unusual Email Rules

Such unusual email rule configurations are a common tactic employed by attackers. They often use these rules to automatically forward emails containing sensitive keywords—such as "invoice”, "payment", or "confidential"—to an external address. Additionally, these rules help conceal malicious activities, keeping them hidden from the target and allowing the attacker to operate undetected.

Figure 3: The model alert “SaaS / Compliance / Anomalous New Email Rule,” pertaining to the unusual email rule created by the SaaS user named ‘fdsdf’.

Blocking the action

A few minutes later, the SaaS user from the unusual IP address 45.133.172[.]86 was observed attempting to send an email with the subject “RE: Payments.” Subsequently, Darktrace detected the user engaging in activities that could potentially establish persistence in the compromised account, such as registering a new authenticator app. Recognizing this sequence of anomalous behaviors, Darktrace implemented an Autonomous Response inhibitor, disabling the SaaS user for two hours. This action effectively contained potential malicious activities, such as the distribution of phishing emails and fraudulent invoices, and gave the customer’s security team the necessary time to conduct a thorough investigation and implement appropriate security measures.

Figure 4: Device Event Log displaying Darktrace’s Autonomous Response taking action by blocking the SaaS account.
Figure 5: Darktrace / IDENTITY highlighting the 16 model alerts that triggered during the observed compromise.

In another example from mid-July, similar activities related to the campaign were observed on another customer network. A SaaS user was initially detected logging in from the unusual external endpoint 2607:5500:3000:fea[::]2.

Figure 6: The SaaS / Compromise / SaaS Anomaly Following Anomalous Login model alert was triggered by an unusual login from a suspicious IP address linked to Mamba 2FA.

A few minutes later, in the same manner as demonstrated in the previous case, the actor was observed logging in from another rare endpoint, 102.68.111[.]240. However, this time it was from a source IP located in Lagos, Nigeria, which no other user on the network had been observed connecting from. Once logged in, the SaaS user updated the settings to "User registered Authenticator App with Notification and Code," a possible attempt to maintain persistence in the SaaS account.

Figure 7: Darktrace / IDENTITY highlighted the regular locations for the SaaS user. The rarity scores associated with the Mamba 2FA IP location and another IP located in Nigeria were classified as having very low regularity scores for this user.

Based on unusual patterns of user behavior, a Cyber AI Analyst Incident was also generated, detailing all potential account hijacking activities. Darktrace also applied an Autonomous Response action, disabling the user for over five hours. This swift action was crucial in preventing further unauthorized access, potential data breaches and further implications.

Figure 8: Cyber AI Analyst Incident detailing the unusual activities related to the SaaS account hijacking.

Since the customer had subscribed to Darktrace Security Operations Centre (SOC) services, Darktrace analysts conducted an additional human investigation confirming the account compromise.

How Darktrace Combats Phishing Threats

The initial entry point for Mamba 2FA account compromises primarily involves phishing campaigns using HTML attachments and deceptive links. These phishing attempts are designed to mimic legitimate Microsoft services, such as OneDrive and SharePoint, making them appear authentic to unsuspecting users. Darktrace / EMAIL leverages multiple capabilities to analyze email content for known indicators of phishing. This includes looking for suspicious URLs, unusual attachments (like HTML files with embedded JavaScript), and signs of social engineering tactics commonly used in phishing campaigns like Mamba 2FA. With these capabilities, Darktrace successfully detected Mamba 2FA phishing emails in networks where this tool is integrated into the security layers, consequently preventing further implications and account hijacks of their users.

Mamba 2FA URL Structure and Domain Names

The URL structure used in Mamba 2FA phishing attempts is specifically designed to facilitate the capture of user credentials and MFA tokens while evading detection. These phishing URLs typically follow a pattern that incorporates Base64-encoded parameters, which play a crucial role in the operation of the phishing kit.

The URLs associated with Mamba 2FA phishing pages generally follow this structure [6]:

https://{domain}/{m,n,o}/?{Base64 string}

Below are some potential Mamba 2FA phishing emails, with the Base64 strings already decoded, that were classified as certain threats by Darktrace / EMAIL. This classification was based on identifying multiple suspicious characteristics, such as HTML attachments containing JavaScript code, emails from senders with no previous association with the recipients, analysis of redirect links, among others. These emails were autonomously blocked from being delivered to users' inboxes.

Figure 9: Darktrace / EMAIL highlighted a possible phishing email from Mamba 2FA, which was classified as a 100% anomaly.
Figure 10: Darktrace / EMAIL highlighted a URL that resembles the characteristics associated with Mamba 2FA.

Conclusion

The rise of PhaaS platforms and the advent of AiTM phishing kits represent a concerning evolution in cyber threats, pushing the boundaries of traditional phishing tactics and exposing significant vulnerabilities in current cybersecurity defenses. The ability of these attacks to effortlessly bypass traditional security measures like MFA underscores the need for more sophisticated, adaptive strategies to combat these evolving threats.

By identifying and responding to anomalous activities within Microsoft 365 accounts, Darktrace not only highlights the importance of comprehensive monitoring but also sets a new standard for proactive threat detection. Furthermore, the autonomous threat response capabilities and the exceptional proficiency of Darktrace / EMAIL in intercepting and neutralizing sophisticated phishing attacks illustrate a robust defense mechanism that can effectively safeguard users and maintain the integrity of digital ecosystems.

Credit to Patrick Anjos (Senior Cyber Analyst) and Nahisha Nobregas (Senior Cyber Analyst)

Appendices

Darktrace Model Detections

  • SaaS / Access / M365 High Risk Level Login
  • SaaS / Access / Unusual External Source for SaaS Credential Use
  • SaaS / Compromise / Login From Rare Endpoint While User Is Active
  • SaaS / Compliance / M365 Security Information Modified
  • SaaS / Compromise / Unusual Login and New Email Rule
  • SaaS / Email Nexus / Suspicious Internal Exchange Activity
  • SaaS / Compliance / Anomalous New Email Rule
  • SaaS / Email Nexus / Possible Outbound Email Spam
  • SaaS / Compromise / Unusual Login and Account Update
  • SaaS / Compromise / SaaS Anomaly Following Anomalous Login
  • SaaS / Compliance / M365 Security Information Modified
  • SaaS / Compromise / Login From Rare Endpoint While User Is Active
  • SaaS / Compromise / Unusual Login, Sent Mail, Deleted Sent
  • SaaS / Unusual Activity / Multiple Unusual SaaS Activities
  • SaaS / Email Nexus / Unusual Login Location Following Link to File Storage
  • SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential
  • IaaS / Compliance / Uncommon Azure External User Invite
  • SaaS / Compliance / M365 External User Added to Group
  • SaaS / Access / M365 High Risk Level Login
  • SaaS / Compliance / M365 Security Information Modified
  • SaaS/ Unusual Activity / Unusual MFA Auth and SaaS Activity
  • SaaS / Compromise / Unusual Login and Account Update

Cyber AI Analyst Incidents:

  • Possible Hijack of Office365 Account
  • Possible Hijack of AzureActiveDirectory Account
  • Possible Unsecured Office365 Resource

List of Indicators of Compromise (IoCs)

IoC       Type    Description + Confidence

2607:5500:3000:fea[::]2 - IPv6 - Possible Mamba 2FA relay server

2607:5500:3000:1cab:[:]2 - IPv6 - Possible Mamba 2FA relay server

References

1.     https://securityaffairs.com/136953/cyber-crime/caffeine-phishing-platform.html

2.     https://any.run/cybersecurity-blog/analysis-of-the-phishing-campaign/

3.     https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/

4.     https://cyberinsider.com/microsoft-365-accounts-targeted-by-new-mamba-2fa-aitm-phishing-threat/

5.     https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/

MITRE ATT&CK Mapping

Tactic – Technique

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS - Cloud Accounts

DISCOVERY - Cloud Service Dashboard

RESOURCE DEVELOPMENT - Compromise Accounts

CREDENTIAL ACCESS - Steal Web Session Cookie

PERSISTENCE - Account Manipulation

PERSISTENCE - Outlook Rules

RESOURCE DEVELOPMENT - Email Accounts

INITIAL ACCESS - Phishing

Continue reading
About the author
Patrick Anjos
Senior Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI