Microsoft says mass phishing bypassed MFA at 10,000 orgs

In a recent blog post, Microsoft’s 365 Defender Intelligence Team announced that they had discovered a “massive campaign” of phishing attacks that have targeted over 10,000 organizations since September 2021. The attacks appear to be part of a coordinated effort, with attackers using phishing emails to gain initial access to victims’ mailboxes. From there, the attackers use the compromised accounts to launch follow-on business email compromise (BEC) attacks. In many cases, the attackers are able to spoof the email address of a senior executive or other company official in order to trick recipients into sending them sensitive information or transferring funds. Microsoft notes that the attacks have been targeting organizations across a wide range of industries, and that the attackers appear to be constantly adapting their tactics in order to evade detection. As such, Microsoft is urging all organizations to be on high alert for these types of attacks and take steps to protect themselves.

In recent months, there has been a surge in attacks targeting Office 365 users. The threat actors use carefully designed landing pages to hijack the Office 365 authentication process, even on accounts that are protected by multifactor authentication (MFA). By spoofing the Office online authentication page, the attackers are able to bypass MFA and gain access to victims’ email accounts. This type of attack is extremely difficult to detect, as the attackers use legitimate Office 365 login credentials. As a result, it is essential for organizations to be aware of this threat and take steps to protect their users. There are a number of measures that can be taken, such as deploying advanced security solutions and implementing strict access controls. By taking these precautions, organizations can help to mitigate the risk of this type of attack.

In the observed attacks, potential victims were redirected to the landing pages from phishing emails using HTML attachments that acted as gatekeepers. This ensured that the targets were being sent via the HTML redirectors, which then allowed the attackers to steal the targets’ credentials and their session cookies. The attackers then used this access to log into the victims’ email accounts and subsequently launch business email compromise (BEC) campaigns targeting other organizations. These attacks are becoming increasingly common, and businesses need to be aware of the risks in order to protect themselves. By understanding how these attacks work, businesses can take steps to prevent them from happening.

“A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA),” the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) said.

“The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.”

Phishing campaign overview

Phishing campaign overview (Microsoft)

​The phishing process employed in this large-scale phishing campaign can be automated with the help of several open-source phishing toolkits, including the widely-used Evilginx2Modlishka, and Muraena.  

The phishing sites used in this campaign worked as reverse proxies and were hosted on web servers designed to proxy the targets’ authentication requests to the legitimate website they were trying to sign in to via two separate Transport Layer Security (TLS) sessions. This allowed the attackers to intercept and collect the victims’ credentials without their knowledge. The campaign was successful due to the fact that most users are not aware of the technical details of how TLS works and are not able to identify when their traffic is being redirected through a proxy. This makes it relatively easy for attackers to create convincing phishing sites that can stealing sensitive information. While this particular campaign has been shut down, it highlights the need for organizations to educate their users about how to spot phishing attacks and protect themselves from becoming victims.

In a recent phishing attack, attackers used a novel tactic to intercept and steal sensitive information. By setting up a phishing page that acted as a man-in-the-middle agent, they were able to hijack HTTP requests and extract passwords and session cookies. This allowed them to gain access to the victim’s account and carry out malicious activities. This highlights the importance of using strong authentication methods and staying alert for any suspicious activity. By being aware of the latest phishing tactics, we can all help to protect ourselves and our businesses from these types of attacks.

Phishing site intercepting authentication

Phishing site intercepting authentication (Microsoft)

​Microsoft has released new guidance for users and organizations in the wake of recent attacks that have leveraged stolen session cookies to gain access to email accounts. The company recommends using “phish-resistant” MFA implementations with certificate-based authentication and Fast ID Online (FIDO) v2.0 support in order to defend against such attacks.

Other recommended best practices include monitoring for suspicious sign-in attempts and mailbox activities, as well as conditional access policies that would block attackers’ attempts to use stolen session cookies from non-compliant devices or untrusted IP addresses. By following these recommendations, users and organizations can help to protect themselves from email account hijacking and other attacks.

“While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security,” Redmond added.

“MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place.”

Additional technical details and indicators of compromise linked to this campaign are available at the end of Microsoft’s report.