Network Infrastructure Abused in Ongoing Phishing Attacks

THE THREAT

In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting providers. Due to ongoing abuse, we are recommending customers take action to restrict access to their network from this infrastructure.

What we’re doing about it

• eSentire MDR for Log identifies suspicious authentication activity associated with this advisory
  • TRU continues to monitor Microsoft Entra ID Sign-in logs for activities from the hosting providers mentioned below in the “Additional Information” section.
• Indicators of compromise are blocked via the eSentire Global Block list
• Related indicators of compromise are automatically added to the eSentire Threat Intelligence Service

What you should do about it

• Audit and/or restrict activity from the network ranges included in the “Observed Network Ranges” below
• Example policy for Microsoft Defender for Cloud Apps:
• Step 1: Create an IP Range within Defender that includes the ranges listed below in “Observed Network Ranges” table
  • This reference document describes the process for creating an IP Range. We recommend using the Risky Category to easily work with custom policy recommendation in Step 2 
    https://learn.microsoft.com/en-us/defender-cloud-apps/ip-tags
  • Example:

• Step 2: Create a custom activity policy to identify logons within the IP Range
  • Reference Document: https://learn.microsoft.com/en-us/defender-cloud-apps/user-activity-policies
  • Note: Any fields in the policy not specifically mentioned can be set at your preference
  • Create an Activity Policy
  • Under Act On, select Single Activity
  • Select the Following Filters:
    • Activity Type equals Log on
    • App equals Microsoft Online Services
    • IP Address Category Matches Risky
    • IP Address Tag Matches Tag created in Step 1
  • Governance Actions:
    • We recommend using the Microsoft 365 Options:
      • Suspend User in App
      • Require User to Sign in Again
      • Confirm User Compromised
    • Example:

• Implement Device Compliance policies to limit access to only compliant devices; this tactic disrupts Adversary-in-the-Middle phishing
  • Review best practices provided by Microsoft

Additional information

Email Account Compromise Activity

Recent investigations have identified threat actor-controlled IP addresses tied to two hosting providers:

1. GLOBAL INTERNET SOLUTIONS, LLC (GIS aka GIR)
2. GLOBAL CONNECTIVITY SOLUTIONS LLP (GCS)

In the past 30 days, IP addresses tied to both hosting providers accounted for 64% of User Account Compromise (UAC) detections across our customers that leverage eSentire’s log service for Microsoft Entra ID. TRU assesses with moderate confidence a subset of these connections are associated with Storm-1575, the group behind the DadSec Phishing-as-a-Service (PhaaS) operation. This operation has been rebranded as Phoenix and more recently Rockstar 2FA. This is an Adversary-in-the-Middle (AitM) phishing service that relays or proxies credentials from the user to a target service.

Links to Underground Activity

According to public business registries, GIS/GIR is registered in Russia and GCS in the United Kingdom. Both entities list the same Russian national as a person with significant control.

TRU assesses these entities are tied to personas advertising Virtual Private Server (VPS) services on underground forums and Telegram, most recently under the FourVPS handle and hosted on 4vps[.]su (Figure 2).

The 4vps[.]su website lists Global Internet Solutions in the page footer (Figure 3) along with matching registration details. 

WHOIS record details for 4vps[.]su list support@gir[.]network as the registrant contact (gir[.]network is the website for Global Internet Solutions). Additionally, pivoting on this email address leads to as207713[.]net (the ASN name tied to GIS/GIR). Historical WHOIS records reveal the website was registered by the same individual mentioned above prior to redaction in subsequent record updates.

TRU is also aware of public reporting tying this individual to past business ventures in underground communities. These hosting providers have permitted widespread abuse of their infrastructure in attacks and are actively advertised on underground forums leading us to recommend blocking their infrastructure.

Indicators of Compromise

ASN & IP Details

Observed Network Ranges in Customer Cases

Attributes Found in Microsoft Entra ID Sign-In Logs Tied to UAC Activity

ASN ORG: global connectivity solutions llp OR global internet solutions llc

User Agent: axios/1.7.7 OR axios/1.7.8 OR axios/1.7.9

Application: OfficeHome

Advanced Hunting Query for Microsoft Defender and Sentinel

Note: Requires SigninLogs Table and covers user agents and applications observed.

let aadFunc = (tableName: string) {
    table(tableName)
    | where ResultType == 0 and AppDisplayName == ('OfficeHome')
    | where UserAgent contains 'axios'
    | limit 100
    | extend risks = todynamic(RiskEventTypes_V2)
    | extend risk = iif(isnull(risks) or array_length(risks) == 0, dynamic([null]), risks)
    | mv-expand risk
    | summarize first_time = min(TimeGenerated), last_time = max(TimeGenerated), 
    IPAddresses = make_list(IPAddress), risks = make_set(risk) 
    by UserPrincipalName,AppDisplayName,UserAgent
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union aadSignin, aadNonInt

Example output: