Skip to content

New phishing campaigns can hack you despite multi-factor authentication; 10000 organisations targeted so far

  • by
  • 3 min read

Microsoft’s 365 Defender Research Team and Threat Intelligence Centre have spotted a new phishing campaign that can hack victims despite being protected by multi-factor authentication. The threat actors behind the campaign have targeted over 10,000 organisations since September. 

These kinds of attacks are called Adversary-in-the-middle (AiTM) attacks and essentially work by inserting a proxy server between the target user and the website the user is attempting to visit. This allows the attacker to intercept the victim’s network traffic and steal sensitive information like passwords or session cookies that further prove the target’s ongoing and authenticated session with the target website. 

New phishing campaigns can hack you despite MFA; 10000 orgs targeted
Overview of the AiTM phishing campaign Microsoft researchers discovered. | Source: Microsoft.

One example of a similar attack that Microsoft explained involved the threat actor inserting a proxy website between users and the work server they use. As soon as the user entered their login credentials into the proxy website, it relayed the data back to the actual server and showed the user the returned response. The campaign began with a simple email containing a link to the proxy server. 

During the process, however, the proxy website steals the user’s session cookie sent by the actual site. Session cookies ensure that users don’t have to enter their credentials every time they try to access protected information and verify a user’s ongoing session until they log out. 

Once the threat actor retrieved the session cookies, they accessed employee email accounts and searched for message threads that could be used to hack employees, forge identities and trick them into sending large sums of money to accounts they believed belonged to co-workers or business partners.

To avoid detection, the threat actors also created inbox rules that automatically moved specific emails to a hidden folder and marked them as read, hiding them under the actual mailbox owner’s nose. The threat actor would log in randomly over the next few days to check for new emails. 

The fake email that the employees received. | Source: Microsoft.

Since the attacker is stealing the session cookie and logging into the target website on the user’s behalf, this can’t be termed a flaw in multi-factor authentication. Microsoft also notes that these kinds of scams are elementary to fall for as the sheer volume of emails and workloads employees have to deal with makes it hard to tell when an email is legit. 

One of the biggest signs of a page being fake or malicious is the actual URL you see in the address bar. However, even that can be played around with, considering most organisational login pages have rather complex URLs that help malicious URLs blend in quickly. 

In the News: Twitter is suing Elon Musk for trying to bail out of the $44billion deal

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version