Categories: Tech

Microsoft says that attacks on 10,000 organisations used phishing to get around MFA.

Microsoft says that since September 2021, a huge number of phishing attacks have been aimed at more than 10,000 organizations, using the victims’ mailboxes to launch more business email compromise (BEC) attacks.

 

Threat actors used landing pages that looked like the Office online login page to take over the Office 365 authentication process, even on accounts with multifactor authentication (MFA).

 

In some of the attacks that were seen, phishing emails with HTML attachments were used to send potential victims to landing pages. These HTML attachments acted as gatekeepers to make sure that the targets were being sent through the HTML redirectors.

 

The people behind these attacks logged into the victims’ email accounts after stealing their login information and session cookies. After that, they used their access to send out business email compromise (BRC) attacks against other companies.

 

The Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center (MSTIC) said, “A large-scale phishing campaign that used adversary-in-the-middle (ASTM) phishing sites stole passwords, took over a user’s sign-in session, and skipped the authentication process, even if the user had enabled multifactor authentication (MFA).”

 

“The attackers then used the stolen credentials and session cookies to get into the mailboxes of the affected users and run more business email compromise (BEC) campaigns against other targets.”

 

Several open-source phishing toolkits, such as the widely used Evilginx2, Modlishka, and Muraena, can be used to automate the phishing process used in this large-scale phishing campaign.

 

In this campaign, the phishing sites worked as reverse proxies and were hosted on web servers that were set up to send the targets’ authentication requests to the real website they were trying to sign in to through two separate Transport Layer Security (TLS) sessions.

 

Using this method, the attackers’ phishing page acted as a man-in-the-middle agent that intercepts the authentication process to get sensitive information from hijacked HTTP requests, such as passwords and, more importantly, session cookies.

 

Once the attackers had the session cookie, they injected it into their own web browser. This lets them skip the authentication process, even if the victims had MFA turned on for their compromised accounts.

 

Microsoft recommends “phish-resistant” MFA implementations with certificate-based authentication and Fast ID Online (FIDO) v2.0 support to protect against these kinds of attacks.

 

Other best practices that would improve security include keeping an eye out for suspicious sign-in attempts and mailbox activity, as well as using conditional access policies to stop attackers from using stolen session cookies from devices that don’t follow the rules or IP addresses that can’t be trusted.

 

“ASTM phishing tries to get around MFA, but it’s important to note that MFA implementation is still a key part of identity security,” Redmond said.

“MFA is still very good at stopping many different kinds of threats, which is why ASTM phishing was created in the first place.”

At the end of Microsoft’s report, you can find more technical details and signs of compromise about this campaign.

Editor

Share
Published by
Editor
Tags: MFAMicrosoft

Recent Posts

Three Years Later, Universal Music Settles Trademark Lawsuit Filed Against Investment Platform Republic

Flaunt Weeekly Flaunt Weeekly More than three years later, Universal Music Group (UMG) and the…

4 hours ago

Haiti’s budding musicians hold concert amid ongoing gang violence

Flaunt Weeekly Around the world, it’s time for year-end school concerts and Haiti is no…

6 hours ago

Review: Ada Pasternak gets personal and deep in her ‘I Wish I Never’ music video

Flaunt Weeekly There was Pasternak. Photo Courtesy of Ada Pasternak.Singer-songwriter and multi-instrumentalist Ada Pasternak released…

6 hours ago

‘His death is a great loss’ – President Higgins pays touching tribute to Irish music star’s father after tragic passing

Flaunt Weeekly PRESIDENT Michael D Higgins has paid tribute to the father of a member…

12 hours ago

Hozier Plays the Pogues’ “Fairytale of New York” on Saturday Night Live: Watch

Flaunt Weeekly Hozier returned to Saturday Night Live for the NBC program’s final pre-Christmas episode…

13 hours ago

Our Favourite Queer Artists Made Billboard’s 2024 Top Pop Stars List

Flaunt Weeekly Chappell Roan, Charli xcx and Billie Eilish have all made Billboard’s 10 Greatest…

13 hours ago