Microsoft discovered a new MFA bypass tactic used to target over 10,000 organizations in a coordinated phishing campaign.
The company explained that the attackers deployed a malicious proxy server to steal login credentials and session cookies and hijack the victims’ mailboxes. The malicious proxy server was a conduit or adversary-in-the-middle (AitM) by hijacking and forwarding communication between the user and the target website.
Subsequently, the threat actors used the compromised accounts to execute business email compromise (BEC) attacks and commit payment frauds. BEC attacks trick the target user into transferring money to accounts controlled by the threat actors.
However, Microsoft researchers asserted that the bypass technique is not a vulnerability with MFA.
“Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses,” the researchers wrote in a blog post.
MFA bypass campaign does not require a custom phishing site
Microsoft explained that, unlike traditional phishing attacks, the attacker does not need to have their own phishing site.
Instead, they deploy a malicious proxy server that acts as the AiTM agent for extracting information, forwarding requests, and rendering the MFA screen to the target victim. The proxy uses two Transport Layer Security (TLS) sessions for the target and the actual website.
Microsoft warned that the process could be automated with open-source tools such as Evilginx2, Modlishka, and Muraena.
“Phishing is still the #1 attack vector with identities being their primary target,” Garret Grajek, CEO at YouAttest, said. “An identity is a passkey into an enterprise’s resources.
“Why hack the security components when the key to front door is available. It can never be stated enough how much identities, especially ghost, legacy, stale accounts must be discovered and eliminated. It’s these stale accounts that allow hackers to stay resident.”
Attackers sent fake audio emails in the MFA bypass phishing campaign
The attackers began by sending phishing emails to multiple recipients in various organizations. The emails contained an HTML file attachment and a message informing the recipient that they had received a voice message.
The attachment opened in the user’s browser with a progress bar indicating that the mp3 message was downloading. However, the progress bar was hardcoded in the HTML file.
The page then redirected the user to another site that informed the victim would receive the audio within 1 hour. The site confirmed that the user was visiting from the HTML attachment by checking a base64 encoded URL parameter.
Upon confirming the target, the phishing site rendered a Microsoft login screen and auto-filled the user’s email on the sign-in form to earn their trust. The phishing site proxied the organization’s Azure Active Directory (Azure AD) with the organization’s branding.
Lastly, the phishing page redirected the user to a legitimate office.com page after authenticating on their behalf and collecting their login credentials and session cookies.
“For me, this is the first time I’ve seen BEC actors making this big of a pivot,” Ronnie Tokazowski, Principal Threat Advisor at Cofense, said. “While credential phishing for cookies and business email compromise attacks are not new techniques, the merging of the two techniques shows that attackers are experimenting with technical methods to facilitate fraud.”
Sharon Nachshony, Security Researcher at Silverfort, said the MFA bypass phishing campaign demonstrated the hackers’ ingenuity in compromising accounts.
“While AiTM is not a new approach – obtaining the session cookie after authentication shows how attackers have had to evolve and take steps to try and sidestep MFA, which they hate,” Nachshony said. “In addition to the steps outlined by Microsoft – an organization could also defeat this attack by sending the legitimate user a location with the MFA request. This would defeat the problem posed by proxy servers, which would be in a different location, and ensure a more secure authentication process.”
Fraudsters monitored email threads for potential targets
According to Microsoft, the attackers accessed business emails “every few hours” after compromising the account and monitored business email threads to find potential targets. The activities suggest that the attacker attempted to commit payment fraud manually.
Once they identified a target, they replied to the conversation while covering their tracks by deleting email messages with phishing domain URLs. They achieved this by creating inbox rules. Additionally, they regularly logged in to the compromised account using stolen session cookies to check whether the target had replied to their emails.
Microsoft noted that some payment fraud occurred in as little as five minutes after compromise. Hackers targeted at least 10,000 organizations in the AiTM phishing campaign.
According to Microsoft, the MFA bypass phishing campaign seems coordinated, “These runs appear to be linked together and target Office 365 users by spoofing the Office online authentication page,” Microsoft wrote.
Protecting against MFA bypass phishing campaign
Microsoft noted that while the phishing campaign successfully leveraged MFA bypass techniques, implementing multi-factor authentication was still crucial in protecting accounts.
“MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place.
“Organizations can make their MFA implementation ‘phish-resistant’ by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.”
Additionally, the researchers recommended “conditional access policies” that implement other security measures such as IP location, user group membership, and device information. Investment in advanced anti-phishing solutions could defeat the MFA bypass techniques by scanning incoming emails and blocking access to malicious websites.
Finally, they recommended continuous monitoring of email activities such as sign-in attempts, change of inbox rules, email access events, and logged-in devices and their IP addresses.
“To protect against the phishing emails that trick the victims into clicking on a link, organizations should train employees how to identify and report phishing and should test them regularly with simulated phishing attacks that allow them to practice these skills. In addition, educating users on how to identify fake login pages will greatly reduce the risk of giving up the credentials and session cookie,” recommend Erich Kron, security awareness advocate at KnowBe4.