Slippery phish wriggles around MFA protections, says Microsoft

A large-scale phishing campaign that has targeted more than 10,000 organisations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack sign-in sessions and bypass authentication features, including multifactor authentication (MFA).

That is according to Microsoft’s 365 Defender Research Team, which this week alerted users to the threat and published the findings of its investigation.

The initial lure used by the attackers was an email informing the recipient that they needed to pick up a voicemail message.

The subsequent attack chain exploited a feature held in common by every modern web service – the use of session cookies after authentication that prove to the service that the user is authenticated to its website.

But if the attacker deploys a webserver in between the user and the service website they want to visit, which proxies HTTP packets from the user to the service and vice versa, they essentially trick both the user into authenticating to the service using their credentials, and the service into returning a legitimate session cookie, both of which are then intercepted and stolen.

In this campaign, the proxy website was the organisation’s Azure Active Directory logon page, but the same technique would work elsewhere.

Once the attacker has both the credentials and the session cookies, they can inject it into their browser to skip the authentication process, even if MFA is enabled. Meanwhile, the unwitting victim proceeds about their business unaware that they have just had their pockets picked.

This method is also more convenient for the attackers, because it means they can present the victim with a credible fake site – with only the URL being different – and do not need to expend effort creating a fake phishing site, as would more usually be the case.

The attackers behind the campaign subsequently used the stolen credentials and session cookies to access mailboxes and exploit them to perform business email compromise (BEC) attacks against downstream targets.

Commenting on the success of the campaign, CybSafe CEO and co-founder Oz Alashe said it was clear to see why individuals at so many organisations had been caught out by it.

“The phishing campaign targeting Microsoft shows the methods attackers are using to steal people’s credentials,” he said. “These fake, lookalike login pages that 365 users were being directed to are difficult to detect to the untrained eye, so it is not surprising so many people and organisations have been caught out.

“Once people enter their login credentials, attackers then have the keys to the enterprise digital kingdom, and from there they can access corporate files and take sensitive data.

“The first, and most practical step in defending against these attacks is to support employees to login into 365 using their desktop app only – and make sure there are plenty of nudges to remind them. It’s not enough to say it once – these attacks are designed to trick people into thinking ‘oh this must be a new thing’ or ‘just this once must be needed’.”

Alashe added: “Any links sent in emails should always be treated with caution, and always double-check a URL to make sure it really does have the correct Microsoft 365 address (https://www.office.com/) before clicking on it, or disclosing confidential information.”

Although MFA-bypassing attacks using similar techniques are nothing new, and the attack chain does not exploit a vulnerability inherent to MFA technology, Microsoft said the campaign had concerning implications for users, and organisations could indeed do more to protect themselves.

“To further protect themselves from similar attacks, organisations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others,” the team said in its write-up.

“While AiTM phishing attempts to circumvent MFA, it is important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats. Its effectiveness is why AiTM phishing emerged in the first place.”

Sharon Nachshony, a security researcher at Israel-based identity and access management (IAM) specialist Silverfort, said: “This campaign is interesting because it outlines the creative approaches attackers will take to steal identities and the resultant domino effect once they have breached a network.

“BEC, the endgame in this attack, has been used historically to siphon hundreds of thousands of dollars from single organisations. If, as Microsoft states, there were 10,000 targets – that is a potentially huge return from compromised credentials.”

Nachshony added: “While AiTM is not a new approach, obtaining the session cookie after authentication shows how attackers have had to evolve and take steps to try and sidestep MFA, which they hate. In addition to the steps outlined by Microsoft, an organisation could also defeat this attack by sending the legitimate user a location with the MFA request. This would defeat the problem posed by proxy servers, which would be in a different location, and ensure a more secure authentication process.”