Alarming Phishing Campaign Bypasses MFA Security to Commit Financial Fraud

Phishing attacks use various methods to trick users into handing over sensitive information, such as login credentials. Over time, as users have become more suspicious and email clients, web browsers and IT departments have implemented anti-phishing measures, scammers have had to get creative and devise anti-phishing techniques. more devious phishing. Earlier this year, we wrote about a phishing technique that uses JavaScript to create an animated window in victims’ browsers to appear more legitimate.

Now, Microsoft has released details of a sophisticated phishing campaign with the ability to bypass multi-factor authentication (MFA). Many phishing attacks send unsuspecting victims to a login page that mimics a legitimate, trustworthy website, but in fact has no connection to the legitimate site and simply steals the user’s credentials. user. The attacker can then use these credentials to log into victims’ accounts. MFA methods such as time-based one-time passwords (TOTP) can help prevent these types of phishing attacks from succeeding by requiring users to enter a time-sensitive code in order to complete the login process. . In the case of TOTP, the required code is valid within a window of just thirty seconds, making phishing attacks that collect user credentials for later use ineffective.

However, some phishing attacks, like the one recently documented by Microsoft, do much more behind the scenes than just collecting login credentials. Microsoft detailed an Adversary-in-the-middle (AiTM) phishing campaign, where fraudulent websites act as proxies between victims and legitimate websites. Users are prompted to enter their login credentials, but rather than storing these credentials, the fraudulent website instead transmits the login credentials to the imitated legitimate site.

If the user’s credentials are valid and MFA is enabled, the legitimate website returns an MFA prompt, which the malicious server returns to the user. At the end of the required MFA step, the phishing site passes the authentication credentials to the legitimate website, which issues a session cookie that would normally verify the user’s current authenticated session. However, since the cookie was sent to the malicious server, the attacker gets an authenticated session, rather than the victim.

This complicated AiTM phishing attack is just one step in the largest phishing campaign documented by Microsoft. The full attack begins with a phishing email that redirects users to the AiTM phishing site. Once the malicious proxy server underlying the AiTM phishing page acquires a session cookie, the attacker exploits the authenticated user’s session to conduct payment fraud. Microsoft 365 Defender threat data indicates that it takes only five minutes after session cookie authorization for the attacker to begin the payment fraud process.

The phishing campaign targets Outlook email accounts, allowing the attacker to access victims’ financial emails in an attempt to find ongoing threads. If such a thread is present, the attacker tries to convince the victim’s correspondents to send funds to accounts controlled by the attacker. Microsoft also discovered that the attacker deleted the original phishing email to remove a sign of compromise and implemented inbox rules that masked the attacker’s correspondence with financial fraud targets.

The ability of this phishing campaign to circumvent MFA measures is alarming, but Microsoft stresses that the campaign does not exploit any kind of vulnerability in MFA itself. “[S]Since AiTM phishing steals the session cookie, the attacker is authenticated to a session on behalf of the user, regardless of the login method used by the user.“MFA further increases security; it just doesn’t protect against that particular type of attack.