Now, Microsoft has released details of a sophisticated phishing campaign with the ability to bypass multi-factor authentication (MFA). Many phishing attacks send unsuspecting victims to a login page that mimics a legitimate, trustworthy website, but in fact has no connection to the legitimate site and simply steals the user’s credentials. user. The attacker can then use these credentials to log into victims’ accounts. MFA methods such as time-based one-time passwords (TOTP) can help prevent these types of phishing attacks from succeeding by requiring users to enter a time-sensitive code in order to complete the login process. . In the case of TOTP, the required code is valid within a window of just thirty seconds, making phishing attacks that collect user credentials for later use ineffective.
If the user’s credentials are valid and MFA is enabled, the legitimate website returns an MFA prompt, which the malicious server returns to the user. At the end of the required MFA step, the phishing site passes the authentication credentials to the legitimate website, which issues a session cookie that would normally verify the user’s current authenticated session. However, since the cookie was sent to the malicious server, the attacker gets an authenticated session, rather than the victim.
The phishing campaign targets Outlook email accounts, allowing the attacker to access victims’ financial emails in an attempt to find ongoing threads. If such a thread is present, the attacker tries to convince the victim’s correspondents to send funds to accounts controlled by the attacker. Microsoft also discovered that the attacker deleted the original phishing email to remove a sign of compromise and implemented inbox rules that masked the attacker’s correspondence with financial fraud targets.
The ability of this phishing campaign to circumvent MFA measures is alarming, but Microsoft stresses that the campaign does not exploit any kind of vulnerability in MFA itself. “[S]Since AiTM phishing steals the session cookie, the attacker is authenticated to a session on behalf of the user, regardless of the login method used by the user.“MFA further increases security; it just doesn’t protect against that particular type of attack.