Security researchers at Microsoft have uncovered a large-scale phishing campaign in which attackers attempt to take over accounts even if multi-factor authentication (MFA) is activated. Microsoft reports that more than 10,000 companies have been attacked in this way so far.
Accordingly, the security researchers were able to trace the campaign back to September 2021. Attackers use so-called “Adversary in the Middle” (AiTM) phishing pages to hijack session cookies and steal login credentials. If this was successful, they have access to the victims’ mailboxes and can launch attacks against other targets from there.
Campaign targeted Office365 users
The AiTM campaign uncovered by Microsoft targeted Office 365 users, to whom the attackers presented a proxy of the online Office landing page. The Evilginx2 phishing kit was used.
The attackers sent emails with an HTML file attachment to various recipients. In the emails, they claimed there was a voice message. In order to listen to this, the recipients would have to open the attachment within 24 hours, after the deadline the message would be deleted.
Upon opening the attachment, the phishing victim was redirected to an alleged Office landing page on a proxy server, which read that they would be redirected to the voicemail mailbox. In the meantime, the phishing page asked to log in with the credentials.
The Microsoft researchers describe that the attackers transfer the victim’s email address to the landing page and automatically enter it in the login window. The pre-filled field in the registration data increases the credibility of the trap.
If the phishing victim actually entered their credentials, they were redirected to the real Office landing page. In the background, the attackers then intercepted the login data and session cookies. They were then able to use this for payment fraud with so-called business email campaigns, or BEC for short.
Attackers used access for payment fraud
Apparently, it took less than five minutes for the attackers to log into the compromised accounts in order to comb through them for finance-related emails and attachments. If they found what they were looking for, they tried to convince the communication partner on the other end to transfer money to accounts under their control.
In order to hide their machinations from the actual owner of the e-mail account, the attackers reportedly set up mailbox rules so that incoming e-mails from certain domains were automatically marked as read and moved to the “Archive” folder. In addition, the initial phishing email and the subsequent communication with the targeted victim were deleted from the inbox and then from the archive and sent folders.
According to Microsoft, these activities indicate that the fraud was carried out manually. In many cases, the attackers were in contact for days and with several potential victims at the same time. Whenever they encountered a new target person, they added the corresponding domain to the mailbox rules.
What are AiTM attacks?
AiTM attacks are based on the session cookie, which is stored by modern web services after successful initial authentication. This cookie serves as proof to the web server that the user is authenticated so that they do not have to log in again for each new page they visit.
Attackers put a proxy server between the targeted victim and the real website that the phishing victim wants to visit. In this way, they can intercept both the login data for the website and the session cookie of the ongoing, authenticated session.
The web proxy between the victim and the phishing website forwards HTTP packets from the visitor to the phishing page to the server that the attackers want to impersonate and vice versa. The phishing website is thus identical to the website that the attacker wants to impersonate. This type of phishing is convenient for attackers – there is no effort to imitate the website in question as well as possible.
Using the stolen session cookie, the attackers are then authenticated as the phishing victim, can skip the multi-factor authentication process, and use the website with the same access rights as the victim.
In Tuesday’s blog post, Microsoft security researchers emphasize that the attack works regardless of the login method used and that AiTM attacks do not expose a vulnerability to a company’s MFA email system.
Attackers are increasingly adapting to MFA
According to Microsoft, the AiTM campaign is an example of how attackers are adapting to protection measures such as the implementation of MFA. However, despite AiTM, multi-factor authentication can still be seen as a very effective measure to protect against a whole range of threats. Just because MFA is so effective, AiTM attacks would have arisen in the first place.
To protect against similar attacks, the researchers recommend supplementing MFA with access conditions linked to other identity-related markers such as IP location information or device status.
