Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM attacks.

Microsoft researchers have discovered an emerging cluster of TTP’s they have named Storm-1167 being used by an unknown threat actor to target banking and financial services institutions.

This threat actor has been utilizing phishing emails for initial compromise, then using compromised inboxes to further distribute their malicious phishing emails.

The threat actor has been observed taking steps to minimize detection and to establish persistence.