Arctic Wolf has recently observed a campaign targeting the legal industry using a combination of brute-force and spearphishing techniques.
Threat actors initially attempted to brute-force multiple user accounts. After those efforts were unsuccessful, they pivoted to spearphishing by sending spoofed emails that appeared to originate from internal users. These emails used the subject line “Reminder-Your-to-do-list” and contained a malicious .HTM attachment. When opened, the file launches a spoofed Office 365 login page tailored to the recipient in an attempt to harvest credentials.
Example of spoofed Office 365 login page
Recommendations
Avoid Engaging with Unsolicited Emails and Attachments
Users should exercise caution when handling unexpected emails, especially those with unusual subject lines or attachments, and avoid clicking links or opening files unless the sender’s identity can be confidently verified.
Enable Multi-Factor Authentication (MFA)
Organisations should ensure MFA is enabled across all user accounts to reduce the risk of unauthorised access from credential-based attacks. In the event a user falls for a phishing attempt and enters their credentials into a spoofed login page, MFA can provide an additional layer of security that may prevent threat actors from successfully accessing internal systems.
Implement Token Protection for Authentication Sessions
To further reduce the risk of unauthorised access following credential compromise, organisations should implement Microsoft Entra Conditional Access token protection. This feature binds authentication tokens to a specific device or session, helping prevent threat actors from replaying stolen tokens on unauthorised systems—even if valid credentials are obtained.
Learn more about the Arctic Wolf Cyber Resilience Assessment.
Take a deep dive into NIST CSF 2.0 with our webinar, NIST CSF 2.0: A Blueprint for Operationalising Risk Management Within Your Security Program.