On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when they’re protected with multi-factor authentication measures designed to prevent such takeovers. The threat actors behind the operation, who have targeted 10,000 organizations since September, have used their covert access to victim email accounts to trick employees into sending the hackers money.
Multi-factor authentication — also known as two-factor authentication, MFA, or 2FA — is the gold standard for account security. It requires the account user to prove their identity in the form of something they own or control (a physical security key, a fingerprint, or face or retina scan) in addition to something they know (their password). As the growing use of MFA has stymied account-takeover campaigns, attackers have found ways to strike back.
The adversary in the middle
Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real server’s response back to the user. Once the authentication was completed, the threat actor stole the session cookie sent to the legitimate site, so the user doesn’t need to be reauthenticated at every new page visited. The campaign began with a phishing email with an HTML attachment leading to the proxy server.
“From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com),” members of the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center wrote in a blog post. “In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account.”
In the days following the cookie theft, the threat actors accessed employee email accounts and looked for messages to use in business email compromise scams, which tricked targets into wiring large sums of money to accounts they believed belonged to co-workers or business partners. The attackers used those email threads and the hacked employee’s forged identity to convince the other party to make a payment.
To keep the hacked employee from discovering the compromise, the threat actors created inbox rules that automatically moved specific emails to an archive folder and marked them as read. Over the next few days, the threat actor logged in periodically to check for new emails.
“On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox,” the blog authors wrote. “Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets’ organization domains.”
It’s so easy to fall for scams
The blog post shows how easy it can be for employees to fall for such scams. The sheer volume of emails and workload often makes it hard to know when a message is authentic. The use of MFA already signals that the user or organization is practicing good security hygiene. One of the few visually suspicious elements in the scam is the domain name used in the proxy site landing page. Still, given the opaqueness of most organization-specific login pages, even the sketchy domain name might not be a dead giveaway.
Nothing in Microsoft’s account should be taken to say that deploying MFA is not one of the most effective measures to prevent account takeovers. That said, not all MFA is equal. One-time authentication codes, even when sent by SMS, are far better than nothing, but they remain phishable or interceptable through more exotic abuses of the SS7 protocol used to send text messages.
The most effective forms of MFA available are those that are compliant with standards set by the industry-wide FIDO Alliance. These types of MFA use a physical security key that can come as a dongle from companies like Yubico or Feitian or even an Android or iOS device. The authentication can also come from a fingerprint or retina scan, neither of which ever leave the end-user device to prevent the biometrics from being stolen. What all FIDO-compatible MFA has in common is that it can’t be phished and uses back-end systems resistant to this type of ongoing campaign.