Microsoft Mail Users Targeted in New Phishing Campaign That Can Bypass MFA


A new widespread phishing effort that targets Microsoft email users and uses adversary-in-the-middle (AiTM) and other evasion techniques to bypass multi-factor authentication (MFA) protections has been uncovered by researchers from cybersecurity company Zscaler’s ThreatLabz.

In early July, Microsoft released details of a similar campaign, which leveraged the AiTM technique to circumvent MFA and targeted over 10,000 organizations.

Zscaler researchers describe the new attack as a high-level attack.

They believe the aim of the campaign is to hack into companies’ accounts in order to carry out BEC (business email compromised) attacks and transfer funds to accounts under their control using forged documents.

Fintech, insurance, accounting, lending and Federal Credit Union entities in the US, UK, New Zealand and Australia are among the targets of the phishing attempt.

Zscaler researchers found an increase in sophisticated phishing attacks in June 2022 targeting certain industries and users of Microsoft email services.

All of these phishing attacks started with the victim receiving an email containing a malicious link.

The malicious emails included either HTML attachments with the link or a direct link to a phishing site. In both cases, the user must activate the link in order to start the chain of infection.

The researchers found that the hackers created a number of new domains that were typosquatted replicas of legitimate US Federal Credit Unions in the United States. Notably, a large number of phishing emails came from executives employed by these companies, whose threat actors had most likely compromised earlier.

As part of the campaign, another group of phishing websites used domain names focused on using password reset lures.

Once the malicious code was successfully implemented and a particular account was hacked, that same account was then used to send more phishing emails to other business accounts.

The campaign employs a number of redirection strategies. For example, attackers use online code editing services such as CodeSandbox and Glitch and Open Redirect pages hosted by Google Ads to host URL redirect code.

Once the victim arrives at the phishing website, they are taken by JavaScript, which determines whether they are using a virtual machine or a physical device.

This ensures that the phishing page is only shown to people likely to fall for the scam, rather than to security software or researchers who might conduct their investigations using virtual machines.

Threat actors use the AiTM approach to circumvent MFA. The custom proxy-based phishing kit gives attackers the ability to run a proxy between the target’s device (the “client”) and the mail server they are sending requests to (thus “in the middle”).

Thanks to the proxy, the threat actor can intercept all the information exchanged between the client and the server.

“Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered a silver bullet to protect against phishing attacks,” the researchers warned.

“Through the use of advanced phishing kits (AiTM) and smart evasion techniques, hackers can bypass traditional and advanced security solutions.

“As an added precaution, users should not open attachments or click on links in emails sent from untrusted or unknown sources. In general, users should check the URL in the email toolbar. browser address before entering credentials.”


About Author

Comments are closed.