More than 10,000 organizations have been targeted in a vast phishing campaign since September 2021. Microsoft says this attack bypassed multi-factor authentication safeguards using adversary-in-the-middle (AiTM) proxy sites.
Like most other phishing attacks, the intent of those running the campaign is to steal the target system/user credentials or session cookies to gain initial access. Once compromised, these accounts would act as the staging ground for business email compromise (BEC) attacks, which Microsoft observed were aimed at payment fraud.
Sharon Nachshony, a security researcher at Silverfort, told Spiceworks, “This campaign is interesting because it outlines the creative approaches attackers will take to steal identities and the resultant domino effect once they have breached a network. Business Email Compromise, the endgame in this attack, has been used historically to siphon hundreds of thousands of dollars from single organizations.
“If, as Microsoft states, there were 10,000 targets – that is a potentially huge return from compromised credentials,†Nachshony added. Microsoft didn’t say the exact number of targets that leveraged MFA to secure their accounts, but it doesn’t look like that made a difference.
An AiTM attack technique involves the deployment of a proxy web server that relays HTTP packets between the target user and the website the target is visiting, which the attacker impersonates. Users may not identify the imitated site because every HTTP is proxied, including any branding the authentic page may have, and the only difference can be the URL.
Suppose a target user fails to identify this difference and enters the password (primary authentication) and the MFAOpens a new window code. In that case, the attacker will get access to the session cookie, which is generated so that the user doesn’t need to authenticate themselves at every new page they visit.
“While AiTM is not a new approach – obtaining the session cookie after authentication shows how attackers have had to evolve and take steps to try and sidestep MFA, which they hate,†continued Nachshony.
AiTM Phishing Bypassing MFA | Source: Microsoft
What’s more is that the threat actors can automate the process using popular phishing kits such as Evilginx2, Modlishka, and Muraena, as well as open-source tools.
One of the methods employed by the threat actors was to send a file that, by appearance, is supposedly a voice message but is actually an HTML attachment. Clicking it would initiate a bogus download. Meanwhile, the user is redirected to multiple sites, eventually landing on the phishing page where the target is asked to enter credentials, even as the hardcoded fake download bar is displayed.
Once in through the stolen credential and session cookies, the threat actors needed just five minutes to initiate follow-up BEC attacks. However, the attackers first deleted the original phishing email to eliminate signs of initial access and took their time to carefully browse through the now compromised account for any finance-related emails and email threads where payment fraud is possible.
The attacker would then continue the payment/invoice-related conversation and attempt to dupe the user/organization corresponding with the original phishing target after setting an Inbox rule to redirect certain incoming emails to the Archives folder to avoid suspicion.
After a successful hunt, the attacker would delete their correspondence from the compromised account’s Sent Items, Deleted Items, and Archives folders. As a prudential measure, the attacker signed in every few hours to check if the BEC victim had replied and proceeded to delete their email.
Microsoft clarified that the initial MFA bypass isn’t a vulnerability. In essence, it is simply a workaround whose success still depends entirely on whether or not the phishing target is literate in the basics of cybersecurity and whether they can identify a phishing page from a legitimate one.
Oz Alashe MBE, the CEO and founder of CybSafe, told Spiceworks, “These fake, lookalike login pages that 365 users were being directed to are difficult to detect to the untrained eye, so it is not surprising so many people and organizations have been caught out. Once people enter their login credentials, attackers then have the keys to the enterprise digital kingdom, and from there, they can access corporate files and take sensitive data.
“The first, and most practical step in defending against these attacks, is to support employees to login into 365 using their desktop app only. And make sure there are plenty of nudges to remind them. It’s not enough to say it once – these attacks are designed to trick people into thinking ‘oh this must be a new thing’ or ‘just this once must be needed’,†Alashe added.
“Any links sent in emails should always be treated with caution, and always double-check a URL to make sure it really does have the correct Microsoft 365 address (https://www.office.com/) before clicking on it, or disclosing confidential information.â€
Microsoft laid out the steps users and organizations should undertake to avoid AiTM attacks on its security blogOpens a new window .
Nachshony suggested that a location request to the user, in addition to MFA, should help keep AiTM attacks at bay. She concluded, “In addition to the steps outlined by Microsoft – an organization could also defeat this attack by sending the legitimate user a location with the MFA request. This would defeat the problem posed by proxy servers, which would be in a different location, and ensure a more secure authentication process.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
MORE ON CYBERSECURITY
- Millions of Facebook Users’ Credentials Harvested Using Legitimate App ServicesOpens a new window
- Looking Beyond Phishing: The Deeper Issue within Security that Needs Addressing
- The Current State of Passwordless AuthenticationOpens a new window
- World Password Day 2022: It’s Time the World Switches to PasswordlessOpens a new window