Office 365 phishing campaign that can bypass AMF targets 10,000 organizations


Microsoft security researchers have uncovered a large-scale phishing campaign that uses HTTPS proxy techniques to hijack Office 365 accounts. The attack is capable of bypassing multi-factor authentication (MFA) and has targeted over 10,000 organizations since September 2021.

The objective of the campaign appears to be business email compromise (BEC), a type of attack in which an employee’s email account is used to trick other employees of the same organizations or external business partners into initiate fraudulent money transfers. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks resulted in over $43 billion in losses between June 2016 and December 2021.

The Power of Opponent-in-the-Middle (AiTM) Phishing

The attacks observed by Microsoft started with victims receiving malicious emails containing malicious HTML attachments. Some emails posed as voicemail notifications and prompted users to open attachments, which redirected them to pages simulating the progress of a download, but then redirected them back to an Office 365 login page malicious.

Although it looks like a typical phishing attack, the backend implementation is what makes them different. First, the user’s email address is encoded in the redirect page URL and is used to pre-populate the login field on phishing pages. Second, the phishing pages themselves act as a proxy and extract their content in real time from the legitimate Office 365 login page.

The phishing pages were hosted on HTTPS-compliant domain names, some of which had names mimicking Microsoft services. Essentially, the victim’s browser established a TLS connection to it, and the page established a TLS connection to the real hookup site. With the email address auto-populated, the attackers were able to view the personalized Office 365 login pages that victims were used to seeing for their own organizations, making the attack more believable.

Since the phishing page acted as a proxy, it forwarded the credentials entered by the user to the legitimate Office 365 site and then displayed the MFA prompt requested by the website in real time. The goal was to complete the login process in real time and capture the user’s session cookie.

Session cookie is a unique identifier set by websites in browsers once an authentication process has been successfully completed to remember the user when browsing the website without asking them for s ‘authenticate again.

“According to our observations, after a compromised account logged into the phishing site for the first time, the attacker used the stolen session cookie to authenticate with Outlook online ( .com),” the Microsoft researchers said in their report. “In several cases, the cookies had an MFA claim, meaning that even though the organization had an MFA policy, the attacker used the session cookie to gain access to the compromised account name.”

This man-in-the-middle based phishing technique against authentication systems is not new and there are several open source toolkits that allow attackers to easily automate such phishing attacks. The toolkit used in this case is called evilginx2 and exists since 2018.

It should be noted that not all types of MFA can be circumvented by AiTM techniques. FIDO 2-compliant solutions that rely on a key fob connected to the computer or a fingerprint sensor in a mobile device cannot be proxied in this way. Even though SMS-based or code-based solutions are vulnerable, it’s still better to use any form of MFA than not using it at all, as there are a variety of less sophisticated attacks that will be blocked, such as credential stuffing and other forms of passwords. flight.

Microsoft also recommends enabling Conditional Access policies that check for compliant devices or trusted IP addresses before completing authentication, as well as continuously monitoring suspicious logins from unusual locations, ISPs, or non-standard user agents.

From phishing to BEC

Following a successful compromise, the attackers searched the victim’s inbox for threads mentioning financial transactions or bills they could insert themselves into and begin impersonating the victim. Once they identified such a thread or target of fraud based on past communications, they created an email to that person or entity on behalf of the owner of the email account and set up a email filtering that automatically marked all future replies from that correspondent as read. and archived it.

They also deleted the messages they sent from the drafts, sent, and junk folders and continued to check every few hours to check the archive folder for replies. “On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Each time the attacker found a new fraud target, he updated the inbox rule which he created to include the organizing domains of these new targets.”

In some cases, attackers took just five minutes to identify a potential fraud victim they could trick and start messaging them from the compromised email. Sometimes the back and forth took days and there are signs that the fraud was done manually.

Microsoft recommends that organizations have policies in place to monitor inbox rules that might have suspicious purposes or to trigger alerts for unusual amounts of mail access events by untrusted IP addresses or devices. .

Copyright © 2022 IDG Communications, Inc.


About Author

Comments are closed.