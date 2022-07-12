



On Tuesday, Microsoft details an ongoing large-scale phishing campaign that allows user accounts to be hijacked if they are protected by multi-factor authentication methods designed to prevent such hijacking. Did. Since September, the attackers behind this operation, targeting 10,000 organizations, have used secret access to victims’ email accounts to trick employees into sending money to hackers.

Two-factor authentication, also known as MFA, or 2FA, is the gold standard for account security. Account users prove their identity in the form of what they know (password), as well as what they own or control (physical security keys, fingerprints, face and retina scans). is needed. Increased use of MFA has hampered account hijacking campaigns, and attackers have found a way to counterattack.

Enemy in the middle

Microsoft has observed a campaign to insert an attacker-controlled proxy site between an account user and a work server attempting to log in. When the user enters the password at the proxy site, the proxy site sends the password to the real server and relays the real server response to the user. Once authenticated, the attacker stole the session cookie sent by a legitimate site and does not need to reauthenticate the user each time they visit a new page. The campaign started with a phishing email with an HTML attachment that leads to a proxy server.

A phishing website that intercepts the expansion / authentication process.

“Our observation is that after the compromised account first signed in to the phishing site, the attacker used the stolen session cookie to authenticate Outlook Online (outlook.office.com),” he said. Members of the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center wrote in a blog post. “Often there was an MFA claim on the cookie, which means that even if the organization had an MFA policy, the attacker could use the session cookie to gain access on behalf of the compromised account.”

In the days following the cookie theft, attackers accessed employee email accounts looking for messages to use in business email scams. The attacker used these email threads and the forged ID of the hacked employee to persuade the other party to pay.

To prevent hacked employees from discovering breaches, an attacker automatically moved certain emails to an archive folder and created an inbox rule to mark them as read. For the next few days, the attackers logged in regularly to check for new emails.

“At one point, an attacker attempted multiple scams at the same time from the same compromised mailbox,” the blog author wrote. “Every time an attacker found new fraudulent targets, he updated the inbox rules he created to include the organizational domains of these new targets.”

Overview of the expansion / phishing campaign and subsequent BEC scams.

Microsoft

Easy to fall into fraud

Blog posts show how easy it is for employees to fall into such a scam. Huge amounts of email and workload often make it difficult to determine if a message is genuine. The use of MFA has already shown that the user or organization is practicing proper security hygiene. One of the few visually suspicious elements of scams is the domain name used on the landing page of the proxy site. Still, given the opacity of most organization-specific login pages, even a crude domain name may not be a complete gift.

Enlarged / Sample Fishing Landing Page

Microsoft

Don’t say to Microsoft accounts that deploying MFA isn’t one of the most effective ways to prevent account takeover. However, not all MFA are the same. One-time verification codes, even when sent by SMS, are much better than nothing, but can be phished or intercepted by the more exotic exploitation of the SS7 protocol used to send text messages.

The most effective form of MFA available is one that complies with the standards set by the FIDO Alliance across the industry. These types of MFA use physical security keys provided as dongles by companies such as Yubico and Feitian, as well as Android and iOS devices. Authentication can also be done from a fingerprint or retinal scan. Neither will leave the end user’s device to prevent the biometric from being stolen. What all FIDO-compatible MFAs have in common is that they use a back-end system that is non-phishing and resistant to this type of ongoing campaign.

