More than 10,000 Companies Attacked in Ongoing MFA-Bypassing Phishing and BEC Campaign

Microsoft gave a warning about a big phishing campaign aimed at Office 365 credentials that circumvents multi-factor authentication (MFA). The campaign is happening now and over 10,000 companies were targeted by attackers in the last 10 months.

According to a report by Microsoft, one of the phishing campaigns used emails that include HTML file attachments. The email tells the user that he/she received a Microsoft voicemail message. The HTML file needed to be opened in order to see the message. The HTML file behaves as a gatekeeper, making sure the targeted user goes to the URL after being redirected from the file attachment.

The user is taken to a web page that has a known open source phishing set, which is utilized to collect credentials. The user is prompted to log in to their Microsoft account to be able to access the voicemail. After signing in, the user is told that an MP3 voicemail message will be sent as an attachment to an email message within an hour. The email address of the user is auto-filled into the sign-in window, only the password needs to be inputted by the user.

This campaign is known as an adversary-in-the-middle (AiTM) phishing attack. The phishing site is placed between the targeted user and the real site they are supposed to log into. Two distinct Transport Layer Security (TLS) sessions are utilized, one is between the user and the attacker and the other is between the attacker and the real site.

After entering the credentials on the attacker-controlled page, they are directed to the real web page. The information from the real resource is handed to the attacker, which is then passed on to the user. Aside from collecting credentials, session cookies are ripped off. The session cookie is used on the browser to bypass the authentication procedure, which works even though multi-factor authentication is activated. The phishing kit makes the whole process automatic.

As soon as the attacker got access to the Office 365 email of the user, the messages inside the account are viewed to determine possible targets for the following stage of the phishing attack. The attacker subsequently creates mailbox protocols that tag selected messages as read and transfers them to the archive to keep the user from finding out about the compromise of their mailbox. Afterward, the attacker conducts a business email compromise (BEC) scam on the targets.

Message posts are hijacked, and the attacker adds their own information to try to obtain the targeted individual to send a fake wire transfer to the attacker’s account. Because the emails are responses to earlier messages, the recipient is likely to think they are in real communication with the account owner, when they are just conversing with the attacker.

Microsoft stated it takes less than five minutes after stealing the credentials and session cookies to send the first BEC email. With all responses to the request being archived automatically, the attacker can just look at the archive for any responses and does this every couple of hours. They are additionally able to find more prospective targets to perform BEC scams on. Although the account breach is programmed, the BEC attacks seem to be done manually. Any email messages sent or gotten are one by one erased from the archive and sent folder to steer clear of discovery. BEC attacks like this can entail bogus transactions of up to millions of dollars.

Protecting against these attacks demands advanced email security options that check incoming and outgoing email messages and can likewise prohibit access to malicious web pages, for instance, an email security program and a DNS filter. Microsoft additionally suggests employing conditional access guidelines that restrict account access to particular gadgets or IP addresses. Microsoft additionally advises continually checking emails for shady or anomalous activities, for example, log-in attempts along with suspicious elements.

With regard to the bypass of MFA, Microsoft highlights that although AiTM attacks could avoid MFA, MFA is still an essential security step and is useful for preventing a lot of threats. Microsoft recommends making MFA usage “phish-resistant” by making use of programs with Fast ID Online (FIDO) v2.0 as well as certificate-based authentication.