Microsoft Says Phishing Campaign Skirted MFA to Access EmailAttackers Targeted More Than 10,000 Organizations Since Last September
Microsoft is warning business email customers about a large-scale phishing campaign that circumvented multifactor authentication to break into inboxes in a bid to commit fraud by obtaining payment data from corporate vendors.
The email exchange giant says multiple iterations of the phishing campaign have targeted more than 10,000 organizations since last September.
The campaign is an example of business email compromise - whereby attackers deceive partners of the targeted organization by sending requests for information or payment from what appears to be a genuine, trusted source. The technique is also called "CxO Fraud" or "vendor compromise."
Cybersecurity experts universally urge organizations to adopt multifactor authentication in a bid to thwart cybercriminals. MFA adds additional layers of logon security by requiring users to supply not just a password but to present additional evidence of legitimacy, such as a one-time code sent to a registered device or a hardware token.
Threat actors have responded to the rise of MFA by looking for ways to get around it. In this case, they did it by setting up a proxy server reached via links sent in a phishing email. The proxy server captured logon credentials and online session cookies by acting as a go-between for Microsoft email users who clicked the links and Microsoft's legitimate online email logon portal. The technique is known as adversary-in-the-middle or man-in-the-middle.
Only users who very closely examined the fake logon portal would know they'd been tricked, Microsoft says. The proxy sever displayed an exact copy of Microsoft's email logon page. "The URL is the only visible difference between the phishing site and the actual one," the company says.
The phishing page didn't stint on providing data-in-motion encryption. It initiated one Transport Layer Security session with phishing victims and another with the legitimate Microsoft logon portal. That handoff of TLS sessions at the proxy server allowed the threat actor to capture passwords and, more importantly, session cookies.
"Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target's MFA is enabled," Microsoft says.
For this specific campaign, Microsoft says the attackers used an open-source toolkit known as an Evilginx2 phishing kit as their adversary-in-the-middle infrastructure.
In the initial intrusion attempt, the attackers sent the phishing email informing the target recipients that they had a voice message.
This email contained an HTML file attachment that, when opened, loaded in the user's browser with a page informing the user that the voice message was being downloaded.
The "download progress bar was hardcoded in the HTML file, so no MP3 file was being fetched. Instead, the page redirected the user to a redirector site," Microsoft says.
The redirector added another layer of subterfuge by automatically filling out the fake sign-in page with the user's email address, a trick it did by seeing if the phishing logon portal request came from the targeted user's email, which was encoded into the URL request for the proxy.
"This technique was also the campaign's attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs," Microsoft says.
Attackers needed a few as five minutes after credential and session theft to launch a payment fraud attempt. One way they obtained payment data was to reply to ongoing email threads related to payment and invoices while deleting their emails from the sent items and deleted items folders.
Phishing attacks are certainly not a new threat while attacks against multifactor authentication have been in circulation for years. The takeaway should not be that multifactor is useless, Microsoft emphasizes.
Multifactor authentication "is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place."
Organizations can protect themselves through anti-phishing solutions that identify and block malicious websites, the company says. Companies might require that email logons can only occur from registered devices or trusted IP addresses. They should also be on the lookout for suspicious logon attempts, such as from an unusual location or if the logon page is accessed using an anonymizer service.