Azerbaijan's cybersecurity authority warns of large-scale Freshdesk phishing operation

Azerbaijan's National Cybersecurity Agency has disclosed the results of a large-scale technical investigation into a phishing campaign conducted through the Freshdesk platform.

According to the agency, cited by Report, the investigation found that attackers distributed phishing emails using the names of organizations operating in the transport, oil and gas, international trade, and business development sectors. Previously compromised official email accounts were also used to create an appearance of legitimacy.

The emails were mainly sent with the subject lines "Shared a File" and "New secure message from." Recipients were redirected to fraudulent document-sharing portals designed to steal their login credentials.

Technical analysis revealed that the attackers employed an Adversary-in-the-Middle (AiTM) technique. Under this scheme, users are redirected to a fake authentication page where usernames, passwords, and multi-factor authentication (MFA/2FA) codes are intercepted in real time.

In addition, browser cookies associated with authentication sessions are captured and transmitted to the attackers. This allows them to bypass two-factor authentication and gain unauthorized access to users' accounts.

The National Cybersecurity Agency urged citizens and organizations not to click on links contained in unexpected emails referring to a "shared document" or a "secure message," and to verify the authenticity of such communications through alternative channels.

The agency also advised users to carefully check that the address login.microsoftonline.com is correct when signing in and never enter passwords or verification codes on suspicious websites.

In cases of suspected malicious activity, citizens and organizations can contact the National Cybersecurity Agency via email or through its 1654 hotline.