Microsoft’s 365 Defender Research Team and Threat Intelligence Centre have spotted a new phishing campaign that can hack victims despite being protected by multi-factor authentication. The threat actors behind the campaign have targeted over 10,000 organisations since September.
These kinds of attacks are called Adversary-in-the-middle (AiTM) attacks and essentially work by inserting a proxy server between the target user and the website the user is attempting to visit. This allows the attacker to intercept the victim’s network traffic and steal sensitive information like passwords or session cookies that further prove the target’s ongoing and authenticated session with the target website.
One example of a similar attack that Microsoft explained involved the threat actor inserting a proxy website between users and the work server they use. As soon as the user entered their login credentials into the proxy website, it relayed the data back to the actual server and showed the user the returned response. The campaign began with a simple email containing a link to the proxy server.
During the process, however, the proxy website steals the user’s session cookie sent by the actual site. Session cookies ensure that users don’t have to enter their credentials every time they try to access protected information and verify a user’s ongoing session until they log out.
Once the threat actor retrieved the session cookies, they accessed employee email accounts and searched for message threads that could be used to hack employees, forge identities and trick them into sending large sums of money to accounts they believed belonged to co-workers or business partners.
To avoid detection, the threat actors also created inbox rules that automatically moved specific emails to a hidden folder and marked them as read, hiding them under the actual mailbox owner’s nose. The threat actor would log in randomly over the next few days to check for new emails.
Since the attacker is stealing the session cookie and logging into the target website on the user’s behalf, this can’t be termed a flaw in multi-factor authentication. Microsoft also notes that these kinds of scams are elementary to fall for as the sheer volume of emails and workloads employees have to deal with makes it hard to tell when an email is legit.
One of the biggest signs of a page being fake or malicious is the actual URL you see in the address bar. However, even that can be played around with, considering most organisational login pages have rather complex URLs that help malicious URLs blend in quickly.