Operation Amethyst: Anatomy of an Invisible Phishing Attack
.png)
Introduction: The Deceptively Simple Click
The attack begins with a moment of unsettling familiarity. You click a link in an email, and your browser opens to what appears to be the standard Microsoft login page.
The logo is correct, the layout is pixel-perfect, and the URL- portal.microsoftonline.com.orgid.com -looks plausible at a glance. You feel the muscle memory kick in, ready to type your credentials.
This is the "Russian Doll" trick. By burying the malicious domain (orgid.com) behind a string of legitimate-looking subdomains, the attacker exploits how the human eye processes information. But behind this ordinary interface, a sophisticated Adversary-in-the-Middle (AiTM) attack known as Operation Amethyst (a variant of the Tycoon 2FA campaign) is silently manipulating your session.
The goal isn't merely to steal a password; it is to hijack your entire authenticated session. By sitting between you and the real Microsoft service, the attacker clones the "Digital VIP Pass" - the session token - generated after you have successfully completed the login process. This makes even the most robust two-factor authentication (2FA) completely irrelevant.
Your Learning Roadmap
To understand how this "ghost in the machine" operates, we will explore the three distinct stages of the attack:
- Stage 1: Smart Reconnaissance – How the attacker validates you as a high-value target and weaponizes Microsoft's infrastructure to find your location.
- Stage 2: The Invisible Hijack – How a malicious "spy" is planted directly inside your web browser using a Service Worker.
- Stage 3: The Unblockable Escape Route – How stolen data is smuggled out through Microsoft's own trusted Application Insights telemetry.
While you are busy reviewing the pixel-perfect login box, the attack is already performing a series of silent checks to ensure you are the right person to target.
Stage 1: The Intelligent Welcome Mat (Smart Reconnaissance)
Before the attack ever prompts for a password, it executes a two-part reconnaissance phase. This ensures the attacker doesn't waste resources on bots or personal accounts and prepares a path that bypasses modern security alerts.
The First Test: Validating the Target
The moment you enter your email (e.g., ddasgupta@attackdefenselab.xyz), the attack performs a Tenant Lookup. It queries Azure AD to identify your Tenant GUID and specific Azure AD Instance (such as Azure AD Global).
This maneuver separates this precision strike from a spray and pray campaign; if the email doesn't belong to a high-value corporate tenant, the attack may simply terminate, weeding out security researchers and bots.
The Geographic Pinpoint: Evading "Impossible Travel"
Once validated, the attack queries Microsoft’s Tenant Partitioning service to find your regional data center (e.g., Oceania). By identifying exactly where you are located, the attacker can route the subsequent attack traffic through servers in your own region.
Additionally, the attack employs a layer of restraint: it checks the browser type and specifically disables itself if it detects Microsoft Edge ("isEdgeAllowed": false). This is a deliberate tactic to avoid the reputation-based blocking of Microsoft Defender SmartScreen.
Why Reconnaissance Matters
| Attacker Action | Security Bypass |
|---|---|
| Tenant Lookup | Confirms a legitimate corporate target; avoids detection by security bots. |
| Geographic Pinpointing | Matches the victim's region (e.g., Oceania) to defeat "Impossible Travel" alerts. |
| Edge Exclusion | Aborts the attack if Edge is detected to avoid SmartScreen reputation checks. |
Stage 2: The Invisible Spy in the Machine (The Hijack)
With the groundwork laid, the phishing page loads a specialized file: service_worker_Mz8XO2ny1Pg5.js. This is the core engine of the hijack.
The "Man-in-the-Browser" Tactic
The attack weaponizes a Service Worker, a legitimate feature of modern browsers designed for background tasks and offline access. You can think of this Service Worker as an invisible traffic cop sitting between your browser and the internet.
Because it operates within the browser's own process, it is remarkably difficult to detect.
Warning for Analysts:Network logs often label this malicious traffic as "Initiated by Service Worker." This can easily confuse junior analysts who may dismiss the entry as a routine, legitimate background task rather than a Man-in-the-Browser hijack.
Dual-Stream Processing
Once active, the Service Worker creates two parallel paths for every piece of data you enter:
- The Legitimate Face: It forwards your real password and 2FA codes to Microsoft's actual servers. The login proceeds normally, ensuring you never suspect an intrusion.
- The Malicious Face: In real-time, it secretly clones your password, session cookies, and the all-important authentication tokens.
The stolen data, now cloned and ready, must be smuggled out through a path that your company's firewall is trained to trust implicitly.
Stage 3: The Unblockable Escape Route (Exfiltration)
The final stage of Operation Amethyst is a masterclass in evasion: it uses Telemetry Tunneling via Microsoft’s Application Insights and the OneCollector service (browser.events.data.microsoft.com).
Hiding in Plain Sight
Standard phishing attacks often fail when they attempt to send data to a suspicious, unknown server. Operation Amethyst avoids this by disguising your stolen credentials as diagnostic data.
Because blocking Microsoft's telemetry endpoints would break core Microsoft 365 functionality, corporate firewalls almost always allow-list this traffic.
The attacker even includes specific campaign tags - such a Amethyst=Sachiel1&Chamuel=Azrael2 -within the requests. This allows the adversary to sort and organize stolen data from different victims and campaigns automatically.
Mailing the Stolen Goods
To ensure the data reaches them, the attacker uses an Instrumentation Key (iKey), such as: o:69adc3c768bd4dc08c19416121249fcc
- The Analogy: Think of the iKey as a mailbox address. The attacker packages your stolen session token into a standard diagnostic packet and applies their iKey.
- Microsoft’s own telemetry infrastructure then mails that packet directly to the attacker’s private Azure workspace.
The 2FA Bypass Insight
Traditional 2FA fails here because this is a Post-Authentication theft. The attacker isn't trying to guess your code; they are waiting for you to provide it to Microsoft. Once Microsoft validates you and generates a session token - the digital wristband given to you after you clear security - the attacker clones it.
This token is a "Digital VIP Pass" that the attacker can replay from their own machine, bypassing the 2FA requirement entirely.
Conclusion: The Attacker’s Playbook & Key Takeaways
Operation Amethyst: Strategic Tactics
| Phase | Technique | Learner's Key Insight |
|---|---|---|
| Reconnaissance | Tenant Partitioning | Attacks use location-matching and Edge-avoidance to blend into local traffic. |
| Hijacking | Malicious Service Worker | The "spy" lives inside the browser, making malicious requests look like routine tasks. |
| Exfiltration | Telemetry Tunneling | Data is hidden in plain sight within legitimate Microsoft Application Insights traffic. |
Final Synthesis: The Core Concepts
1. Living off the Land
The brilliance of Operation Amethyst lies in its restraint. It uses almost no traditional malware. Instead, it exclusively uses trusted, legitimate Microsoft infrastructure - from identity services to telemetry channels - to blend in perfectly with the daily noise of a corporate network.
2. Weaponizing the Audit Trail
The telemetry system is a defensive tool meant to provide visibility and diagnostic health. This attack masterfully inverts that purpose, turning a tool meant for defenders into a private, encrypted, and unblockable smuggling channel for stolen credentials.
By understanding these "invisible" patterns, you can look past the pixel-perfect login page and recognize the complex machinery of modern cyber warfare. Understanding these tactics is the first step toward becoming a more effective security advocate.
