Phishing bypassed MFA in attacks against 10,000 orgs

-

Phishing bypassed MFA in attacks against 10,000 orgs


Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims' mailboxes in follow-on business email compromise (BEC) attacks.

The threat actors used landing pages designed to hijack the Office 365 authentication process (even on accounts protected by multifactor authentication (MFA) by spoofing the Office online authentication page.

In some of the observed attacks, the potential victims were redirected to the landing pages from phishing emails using HTML attachments that acted as gatekeepers ensuring the targets were being sent via the HTML redirectors.

After stealing the targets' credentials and their session cookies, the threat actors behind these attacks logged into the victims' email accounts. They subsequently used their access in business email compromise (BRC) campaigns targeting other organizations.

"A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user's sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA)," the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) said.

"The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets."



The phishing process employed in this large-scale phishing campaign can be automated with the help of several open-source phishing toolkits, including the widely-used Evilginx2Modlishka, and Muraena.  

The phishing sites used in this campaign worked as reverse proxies and were hosted on web servers designed to proxy the targets' authentication requests to the legitimate website they were trying to sign in to via two separate Transport Layer Security (TLS) sessions.

Using this tactic, the attackers' phishing page acted as a man-in-the-middle agent that intercepts the authentication process to extract sensitive information from hijacked HTTP requests, including passwords and, even more importantly, session cookies.

After the attackers got their hands on the targets' session cookie, they injected it into their own web browser, which allowed them to skip the authentication process, even if the victims' had MFA enabled on the compromised accounts.



To defend against such attacks, Microsoft recommends using "phish-resistant" MFA implementations with certificate-based authentication and Fast ID Online (FIDO) v2.0 support.

Other recommended best practices that would boost protection include monitoring for suspicious sign-in attempts and mailbox activities, as well as conditional access policies that would block attackers' attempts to use stolen session cookies from non-compliant devices or untrusted IP addresses.

"While AiTM phishing attempts to circumvent MFA, it's important to underscore that MFA implementation remains an essential pillar in identity security," Redmond added.

"MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place."

 M.B

               

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Top Five Most Exploited Vulnerabilities in January 2024

-
Image
In January 2024, cybersecurity faced a remarkable surge in threats, with a focus on exploiting vulnerabilities in technologies from leading vendors. This spike in cyber attacks highlighted the urgent necessity for robust security posture and swift responses to mitigate these vulnerabilities.  Below is an in-depth analysis of the most critical vulnerabilities targeted during January. CVE-2023-46805 and CVE-2024-21887:   CISA Warns Against Ivanti Zero-Day Vulnerabilities On January 19, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding two critical zero-day vulnerabilities discovered in Ivanti products:  CVE-2023-46805 and  CVE-2024-21887.  Assigned CVSS scores of 8.2 (High) and 9.1 (Critical), these vulnerabilities underscore a significant risk to cybersecurity, marked by their capability for arbitrary command execution. This prompted an emergency directive for immediate mitigation within federal agencies, highlighting the...
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especiall...
Read more