Microsoft phishing campaigns can hack despite users having MFA

Published July 14, 2022
Author: Ash Khan

Microsoft phishing campaigns can hack despite users having MFA

Published July 14, 2022
Author: Ash Khan

If our sessions don’t expire, what is the purpose of having an MFA?

Microsoft claims hackers can access Outlook email accounts even if they are secured by multi-factor authentication.

In 2021, the company’s cybersecurity teams from the Threat Intelligence Center and the Microsoft 365 Defender Research Team discovered a new large-scale phishing attempt that targeted over 10,000 organizations.

The hacked email accounts were then utilized in business email compromise (BEC) attacks. These attacks rob the victim’s business partners, clients, and customers.

Stealing session cookies

A phishing email is sent to the target with a link to access their Outlook account. However, the link would take users to a proxy site that appeared to be similar to the original one. When the victim tries to log in, the proxy site allows it, passing all of the data through.

The attacker takes the session cookie once the victim had completed the authentication procedure. As users don’t have to reauthenticate for every page they visit. Meanwhile, the hacker has complete access.

According to Microsoft when an affected account logs into the phishing site for the first time, the attacker utilizes the stolen session cookie to authenticate to Outlook online. More often the cookies contained MFA claims. This implies that even if the business had an MFA policy, the attacker exploited the session cookie to acquire access on behalf of the affected account.

After gaining access to the email account the attackers then proceed with targeting the contacts in the inbox. They use these stolen identities in an attempt to deceive them into transferring payments of varying sums.

The attackers set up inbox rules on the endpoint like marking their emails as read by default and quickly transferring them to the archive. It’s done to ensure that the victim is unaware that their email accounts are being misused. They would also check their emails regularly.

One creative attacker completed numerous fraud attempts at the same time from the same hacked email. Every time the crook discovered a new target, they would update the rule they developed to add this new organization’s domains to the list.

Post Views: 318
0

Popular Tags

API Integration Branding Services Business Cloud Backup storage cloud storage Cloud VPS Server Hosting Database Services Digital Marketing eBay Store Email Hosting Email Marketing & CRM Email security Explainer Video Facebook Ads Fast Vpn FTP hosting GMAIL Google Ads Google Workspace hacked website repair IT Support Services Linux Managed AWS Cloud Managed Azure Cloud Microsoft 365 Microsoft Office 365 Microsoft Teams Integration mobile apps Outlook email Reseller Hosting SEO Services Server Management SIM Hosting Service SMS Services Social Media Marketing SQL Services Transfer Domain Name Vulnerability Assessment web applications Web Hosting Web Maintenance Website Designing website repair services Website Security Wordpress Hosting

Latest Posts