This big phish can swim around MFA, says Microsoft Security

A widespread phishing campaign that has hit more than 10,000 organizations since September 2021 uses adversary-in-the-middle (AiTM) proxy sites to get around multifactor authentication (MFA) features and steal credentials that are then used to compromise business email accounts.

With AiTM phishing, cybercriminals place a proxy server between the targeted user and the website they're trying to visit, enabling the miscreants to intercept and steal the user's password and session cookie, which are implemented by web services after initial authentication so that the user doesn't have to keep authenticating as they move through the site during the session.

Through the stolen session cookie, the attacker gets access to the session via the user.

Once the attacker has the stolen credentials and session cookies, they can access the victim's email boxes and run a business email compromise (BEC) campaign, in this case payment fraud, according to Microsoft security researchers.

"While AiTM phishing isn't new, our investigation allowed us to observe and analyze the follow-on activities stemming from the campaign – including cloud-based attack attempts – through cross-domain threat data from Microsoft 365 Defender," researchers from the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center wrote in a blog post this week.

While MFA is another layer of protection against credential theft being adopted, criminals also are developing ways to bypass it, including AiTM attacks.

• Keep an eye on your Experian accounts: Some profiles hijacked using personal info
• Start using Modern Auth now for Exchange Online
• RubyGems polishes security practices with multi-factor authentication push
• Vehicle owner data exposed in GM credential-stuffing attack

Erich Kron, security awareness advocate for KnowBe4, told The Register that such attacks will become more common as organizations embrace MFA.

"While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie – and because the session cookie shows that MFA was already used to login – the attackers can often circumvent the need for MFA when they log into the account again later using the stolen password," Kron said.

Microsoft researchers said they saw multiple iterations of the AiTM campaign, all targeting Office 365 users by spoofing the Office online authentication page and used the Evilginx2 phishing kit as their infrastructure.

There also were similarities in their activities after the security breach, including enumerating sensitive data in the victim's email and running payment fraud schemes.

In one campaign, initial access came through emails to recipients with an HTML file attachment telling them they had a voice message. When the victim clicked on the attached file, it was loaded into the user's browser and showed a page telling the user the voice message was being downloaded. Through a series of sites, users were presented with proxied site pages asking for sign-in credentials, eventually being sent to the Evilginx2 phishing site.

"Once the target entered their credentials and got authenticated, they were redirected to the legitimate office.com page," the Microsofties wrote. "However, in the background, the attacker intercepted said credentials and got authenticated on the user's behalf. This allowed the attacker to perform follow-on activities – in this case, payment fraud – from within the organization."

The payment fraud was designed to trick a target into transferring payments to sites owned by the attacker by hijacking and replying to ongoing finance-related emails threads in the compromised account's mailbox and luring the target to send money through such methods as fake invoices.

The Redmond researchers said it took as few as five minutes after the credentials and session were stolen for the attacker to launch the follow-on payment fraud. The attacker used the stolen session cookie to authenticate to Outlook online.

"In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account," the analysts wrote.

For days after stealing the cookie, the attacker got into finance-related emails and file attachments every few hours and searched for outgoing email threads to find any that could be using in payment fraud schemes. To cover their tracks, the intruder also deleted the initial phishing email from the compromised account's inbox. These activities suggest the cyber-thief tried to run the payment fraud scam manually. Once the attacker found a relevant email thread, the evasion techniques continued.

That included creating an inbox rule that ensured every incoming email from the domain name of the fraud target would be moved to the "Archive" folder and marked as read. Then the miscreant would reply to email threads involving payments and invoices between the victim and employees from other organizations, afterwards deleting their replies from the "Sent Items" and "Deleted Items" folders.

"Once an email account has been compromised, it's easy for attackers to find ways to use the access against the victim," KnowBe4's Kron said. "From using that account to propagate scams against friends and family that have communicated to the victim through email to using the account to reset passwords on other accounts, a lot of malicious things can be done with the access."

"As the threat landscape evolves, organizations need to assume breach and understand their network and threat data to gain complete visibility and insight into complex end-to-end attack chains," the Defender Research team adds.

Phishing continues to be a top threat to organizations, with the Microsoft researchers pointing to the company's 2021 Digital Defense Report that reports of phishing in 2020 doubled year-over-year. MFA helps, but both Microsoft and Kron suggested other steps, including using products that support Fast ID Online (FIDO) v2.0, certificate-based authentication, conditional access policies and employee training sessions for identifying phishing attempts. ®