Explained: How this phishing campaign discovered by Microsoft can even hijack MFA-protected accounts

Attackers made it difficult for employees to discover the compromise by creating inbox rules that automatically moved specific emails to an archive folder and marked them as read.
Arghanshu Bose
  • Updated On Jul 14, 2022 at 10:31 AM IST
Read by: 100 Industry Professionals
Reader Image Read by 100 Industry Professionals
Microsoft recently discovered a large-scale phishing campaign that has targeted around 10,000 organisations since September. The attackers behind this operation can also hijack accounts that are protected with Multi-Factor Authentication (MFA) measures. The report also mentions these threat actors have also used this campaign to access employees’ e-mail accounts to trick them into sending money. According to a report by ArsTechnica, the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center have detailed the operation in a blog post. Here we will discuss what MFA is and how this phishing campaign works.

Advt
What is Multi-Factor Authentication
The report suggests that multi-factor authentication (MFA) or two-factor authentication (2FA) is now referred to as the “gold standard for account security”. This security process requires account users to “prove their identity through something that they own or control” like -- a physical security key, a fingerprint, or a face or retina scan along with knowing their passwords. As this security feature becomes a common protocol used to check such phishing campaigns, attackers have already found a way to bypass it.

How this phishing campaign works
Microsoft has updated its blog post to detail a campaign that uses “an attacker-controlled proxy site between the account users and the work server” that employees have to access. As per the blog, whenever users try to input their passwords on the proxy site, it sends them to the real server. Then, the proxy site even relayed the real server's reply back to the user. The attackers steal the session cookie from the original site sent once the authentication is complete so that users don’t need to be re-authenticated at every new page. The report claims that the operation started with a phishing email with an HTML attachment that led the way to the proxy server.

The blog states, “From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com), In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account.”

After the cookie theft, the attackers logged into the employee email accounts and searched for messages to use in “business email compromise scams,” which can be used to trick targets into sending large amounts of money to accounts they believed were related to “co-workers or business partners.” Moreover, these bad actors also used the same email thread and used the hacked employee's forged identity to convince the other party to make a payment.

Advt
The blog even mentioned that the attackers also made it difficult for employees to discover the compromise by creating inbox rules that automatically moved specific emails to an archive folder and marked them as read. The bad actor kept on logging into the compromised accounts regularly over the next few days to search for new emails.

The blog wrote, “On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets' organisation domains.”

How do employees become victims of these scams
According to the blog post, employees can easily fall for such scams as the huge volumes of emails and workload makes it difficult for users to know the authenticity of a message. For practising good security hygiene, most users and organisations use the MFA and a “few visually suspicious elements in the scam is the domain name used in the proxy site landing page,” the report claims. However, the “opaqueness of most organisation-specific login pages,” even a suspicious domain name might not be a giveaway.

Apart from that, Microsoft has mentioned that “deploying MFA isn't one of the most effective measures to prevent account takeovers.” Meanwhile, it is important to note that all MFA is the same and the blog suggests that even one-time authentication codes (sent by SMS) are much better than nothing at all. However, the one-time authentication still bears the risk of being “interceptable through more exotic abuses of the SS7 protocol used to send text messages.”

Most effective forms of MFA
The report mentions that MFA systems that comply with standards set by the industry-wide FIDO Alliance are the most effective ones. As per the report, these forms of MFA use a physical security key that can come as a dongle or even an Android or iOS device. These authentications can also use fingerprint or retina scans that never leave the “end-user device to prevent the biometrics from being stolen.” The report suggests that FIDO-compatible MFA have fewer chances of being attacked by such phishing campaigns as they use “back-end systems resistant” to protect users' from these operations.

  • Published On Jul 14, 2022 at 10:30 AM IST
Be the first one to comment.
Comment Now

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis.

Download ETCISO App

  • Get Realtime updates
  • Save your favourite articles
Scan to download App