Microsoft says that since September 2021, a huge number of phishing attacks have been aimed at more than 10,000 organizations, using the victims’ mailboxes to launch more business email compromise (BEC) attacks.
Threat actors used landing pages that looked like the Office online login page to take over the Office 365 authentication process, even on accounts with multifactor authentication (MFA).
In some of the attacks that were seen, phishing emails with HTML attachments were used to send potential victims to landing pages. These HTML attachments acted as gatekeepers to make sure that the targets were being sent through the HTML redirectors.
The people behind these attacks logged into the victims’ email accounts after stealing their login information and session cookies. After that, they used their access to send out business email compromise (BRC) attacks against other companies.
The Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center (MSTIC) said, “A large-scale phishing campaign that used adversary-in-the-middle (ASTM) phishing sites stole passwords, took over a user’s sign-in session, and skipped the authentication process, even if the user had enabled multifactor authentication (MFA).”
“The attackers then used the stolen credentials and session cookies to get into the mailboxes of the affected users and run more business email compromise (BEC) campaigns against other targets.”
Several open-source phishing toolkits, such as the widely used Evilginx2, Modlishka, and Muraena, can be used to automate the phishing process used in this large-scale phishing campaign.
In this campaign, the phishing sites worked as reverse proxies and were hosted on web servers that were set up to send the targets’ authentication requests to the real website they were trying to sign in to through two separate Transport Layer Security (TLS) sessions.
Using this method, the attackers’ phishing page acted as a man-in-the-middle agent that intercepts the authentication process to get sensitive information from hijacked HTTP requests, such as passwords and, more importantly, session cookies.
Once the attackers had the session cookie, they injected it into their own web browser. This lets them skip the authentication process, even if the victims had MFA turned on for their compromised accounts.
Microsoft recommends “phish-resistant” MFA implementations with certificate-based authentication and Fast ID Online (FIDO) v2.0 support to protect against these kinds of attacks.
Other best practices that would improve security include keeping an eye out for suspicious sign-in attempts and mailbox activity, as well as using conditional access policies to stop attackers from using stolen session cookies from devices that don’t follow the rules or IP addresses that can’t be trusted.
“ASTM phishing tries to get around MFA, but it’s important to note that MFA implementation is still a key part of identity security,” Redmond said.
“MFA is still very good at stopping many different kinds of threats, which is why ASTM phishing was created in the first place.”
At the end of Microsoft’s report, you can find more technical details and signs of compromise about this campaign.
