An ongoing phishing campaign can hack you even when you are protected by MFA
An ongoing phishing campaign can hack you even when you are protected by MFA
Expand
Getty Images
On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when protected by multi-factor authentication measures designed to prevent such takeovers. The threat actors behind the operation, which have targeted 10,000 organizations since September, used their secret access to victims' email accounts to trick employees into sending money to hackers.
>
Multi-factor authentication, also known as two-factor authentication, MFA, or 2FA, is the gold standard in account security. It requires the account user to prove their identity in the form of something they own or control (a physical security key, fingerprint, or face or retina scan) in addition to something he knows (his password). As the growing use of multi-factor authentication has hampered account takeover campaigns, attackers have found ways to fight back.
The opponent in the middle
Microsoft observed a campaign that inserted an attacker-controlled proxy site between account users and the work server they were trying to connect to. When the user entered a password in the proxy site, the proxy site sent it to the real server and then relayed the response from the real server to the user. Once authentication is complete, the threat actor has stolen the session cookie sent by the legitimate site, so the user does not need to be re-authenticated on each new page visited. The campaign started with a phishing email with an HTML attachment leading to the proxy server.
"According to our observations, after a compromised account logged into the phishing site for the first time, the attacker used the stolen session cookie to authenticate with Outlook Online (outlook.office.com),” members of the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center wrote in a blog post. "In several cases, the cookies had an MFA claim, meaning that even though the organization had an MFA policy, the attacker used the session cookie to gain access to the compromised account name."
In the days following the cookie theft, threat actors accessed employee email accounts and searched for messages to use in work email compromise scams, prompting targets to transfer large sums of money to accounts they thought belonged to co-workers or companies. the partners. The attackers used these chat threads and the fake identity of the hacked employee to convince the other party to make a payment.
To prevent the hacked employee from discovering the compromise, the threat actors created inbox rules that automatically moved specific emails to an archive folder and marked them as read. Over the next few days, the threat actor logged on periodically to check for new emails.
"On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox," the blog authors wrote. "Each time the attacker found a new target of fraud, he updated the inbox rule he created to include the organizational domains of those new targets."
On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when protected by multi-factor authentication measures designed to prevent such takeovers. The threat actors behind the operation, which have targeted 10,000 organizations since September, used their secret access to victims' email accounts to trick employees into sending money to hackers.
>
Multi-factor authentication, also known as two-factor authentication, MFA, or 2FA, is the gold standard in account security. It requires the account user to prove their identity in the form of something they own or control (a physical security key, fingerprint, or face or retina scan) in addition to something he knows (his password). As the growing use of multi-factor authentication has hampered account takeover campaigns, attackers have found ways to fight back.
The opponent in the middle
Microsoft observed a campaign that inserted an attacker-controlled proxy site between account users and the work server they were trying to connect to. When the user entered a password in the proxy site, the proxy site sent it to the real server and then relayed the response from the real server to the user. Once authentication is complete, the threat actor has stolen the session cookie sent by the legitimate site, so the user does not need to be re-authenticated on each new page visited. The campaign started with a phishing email with an HTML attachment leading to the proxy server.
"According to our observations, after a compromised account logged into the phishing site for the first time, the attacker used the stolen session cookie to authenticate with Outlook Online (outlook.office.com),” members of the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center wrote in a blog post. "In several cases, the cookies had an MFA claim, meaning that even though the organization had an MFA policy, the attacker used the session cookie to gain access to the compromised account name."
In the days following the cookie theft, threat actors accessed employee email accounts and searched for messages to use in work email compromise scams, prompting targets to transfer large sums of money to accounts they thought belonged to co-workers or companies. the partners. The attackers used these chat threads and the fake identity of the hacked employee to convince the other party to make a payment.
To prevent the hacked employee from discovering the compromise, the threat actors created inbox rules that automatically moved specific emails to an archive folder and marked them as read. Over the next few days, the threat actor logged on periodically to check for new emails.
"On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox," the blog authors wrote. "Each time the attacker found a new target of fraud, he updated the inbox rule he created to include the organizational domains of those new targets."
Expand
Getty Images
Enlarge / Phishing website intercepts authentication process.
