An ongoing phishing campaign can hack you even when you are protected by MFA


Getty Images

On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when protected by multi-factor authentication measures designed to prevent such takeovers. The threat actors behind the operation, which have targeted 10,000 organizations since September, used their secret access to victims’ email accounts to trick employees into sending money to hackers.

Multi-factor authentication, also known as two-factor authentication, MFA or 2FA, is the gold standard in account security. It requires the account user to prove their identity in the form of something they own or control (a physical security key, fingerprint, or face or retina scan) in addition to something he knows (his password). As the growing use of MFA has thwarted account takeover campaigns, attackers have found ways to fight back.

The opponent in the middle

Microsoft observed a campaign that inserted an attacker-controlled proxy site between account users and the work server they were trying to connect to. When the user entered a password in the proxy site, the proxy site sent it to the real server and then relayed the response from the real server to the user. Once authentication is complete, the threat actor has stolen the session cookie sent by the legitimate site, so the user does not need to be re-authenticated on each new page visited. The campaign started with a phishing email with an HTML attachment leading to the proxy server.

The phishing website intercepts the authentication process.
Enlarge / The phishing website intercepts the authentication process.

“According to our observations, after a compromised account logged into the phishing site for the first time, the attacker used the stolen session cookie to authenticate with Outlook online ( .com),” members of the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center wrote in a blog post. “In several cases, the cookies had an MFA claim, meaning that even though the organization had an MFA policy, the attacker used the session cookie to gain access to the compromised account name.”

In the days following the cookie theft, threat actors accessed employee email accounts and searched for messages to use in corporate email compromise scams, prompting targets to fire large sums of money in accounts they thought belonged to colleagues or business partners. The attackers used these chat threads and the fake identity of the hacked employee to convince the other party to make a payment.

To prevent the hacked employee from discovering the compromise, the threat actors created inbox rules that automatically moved specific emails to an archive folder and marked them as read. Over the next few days, the threat actor logged on periodically to check for new emails.

“On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox,” the blog authors wrote. “Each time the attacker found a new fraud target, he updated the inbox rule he created to include the organizational domains of those new targets.”

Overview of the phishing campaign and subsequent BEC scam.<br />” src=”×370.png” width=”640″ height=”370″ srcset=”https:/ / 2x”/><figcaption class=
Enlarge / Overview of the phishing campaign and subsequent BEC scam.


It’s so easy to fall for scams

The blog post shows how easy it can be for employees to fall for such scams. The sheer volume of emails and the workload often make it difficult to know if a message is genuine. Using MFA already signals that the user or organization is practicing good security hygiene. One of the few visually suspicious elements of the scam is the domain name used in the home page of the proxy site. Still, given the opacity of most organization-specific login pages, even the sketchy domain name might not be a dead giveaway.

Anti-Phishing Landing Page Example
Enlarge / Anti-Phishing Landing Page Example


Nothing in Microsoft’s account should be construed to indicate that deploying MFA is not one of the most effective measures to prevent account takeovers. That said, not all MFAs are created equal. One-time passcodes, even when sent via text message, are much better than nothing, but they are still phishing or interceptable by more exotic abuses of the SS7 protocol used to send text messages.

The most effective forms of MFA available are those that comply with the standards set by the industry-wide FIDO Alliance. These types of MFA use a physical security key which can come from a dongle from companies like Yubico or Feitian or even from an Android or iOS device. Authentication can also come from a fingerprint or retina scan, neither of which ever leaves the end user’s device to prevent biometric theft. What all FIDO-enabled MFAs have in common is that they cannot be phished and use back-end systems that are resistant to this type of ongoing campaign.


Comments are closed.