Alarming Phishing Campaign Sneaks Past MFA Security To Carry Out Financial Fraud
Phishing attacks employ various methods to trick users into handing over sensitive information, such as login credentials. Over time, as users have become more suspicious and email clients, web browsers, and IT departments have implemented anti-phishing measures, scammers have had to get creative and devise more devious phishing techniques. Earlier this year, we wrote about a phishing technique that uses JavaScript to create an animated window within victims’ browsers so as to appear more legitimate.
Now Microsoft has published details regarding a sophisticated phishing campaign with the ability to bypass multi-factor authentication (MFA). Many phishing attacks send unsuspecting victims to a login page that mimics a legitimate and trustworthy website, but that actually has no connection to the legitimate site and instead simply steals user credentials. The attacker can later use these credentials to login to the victims’ accounts. MFA methods like time-based one-time passwords (TOTP) can help prevent these sorts of phishing attacks from succeeding by requiring that users must enter a time-sensitive code in order to complete the login process. In the case of TOTP, the required code is valid within only a thirty second window, rendering phishing attacks that harvest user credentials for later use ineffective.
Now Microsoft has published details regarding a sophisticated phishing campaign with the ability to bypass multi-factor authentication (MFA). Many phishing attacks send unsuspecting victims to a login page that mimics a legitimate and trustworthy website, but that actually has no connection to the legitimate site and instead simply steals user credentials. The attacker can later use these credentials to login to the victims’ accounts. MFA methods like time-based one-time passwords (TOTP) can help prevent these sorts of phishing attacks from succeeding by requiring that users must enter a time-sensitive code in order to complete the login process. In the case of TOTP, the required code is valid within only a thirty second window, rendering phishing attacks that harvest user credentials for later use ineffective.
However, some phishing attacks, like the one recently documented by Microsoft, do much more behind the scenes than simply collect login credentials. Microsoft has detailed an adversary-in-the-middle (AiTM) phishing campaign, where fraudulent websites act as proxies between victims and legitimate websites. Users are prompted to enter their login credentials, but, rather than storing those credentials away, the fraudulent website instead forwards login credentials to the legitimate site being mimicked.
If the user credentials are valid and MFA is enabled, then the legitimate website returns an MFA prompt, which the malicious server proxies back to the user. Upon completing the required MFA step, the phishing site passes the authentication information on to the legitimate website, which issues a session cookie that would normally verify the user’s ongoing authenticated session. However, since the cookie was issued to the malicious server, the attacker gains an authenticated session, rather than the victim.
If the user credentials are valid and MFA is enabled, then the legitimate website returns an MFA prompt, which the malicious server proxies back to the user. Upon completing the required MFA step, the phishing site passes the authentication information on to the legitimate website, which issues a session cookie that would normally verify the user’s ongoing authenticated session. However, since the cookie was issued to the malicious server, the attacker gains an authenticated session, rather than the victim.
This complicated AiTM phishing attack is only one step in the larger phishing campaign documented by Microsoft. The full attack begins with a phishing email that redirects users to the AiTM phishing site. Once the malicious proxy server underlying the AiTM phishing page acquires a session cookie, the attacker exploits the authenticated user session to conduct payment fraud. Microsoft 365 Defender threat data indicates that it can take just five minutes after the session cookie is granted for the attacker to begin the payment fraud process.
The phishing campaign targets Outlook email accounts, enabling the attacker to access victims’ financial emails with the purpose of finding ongoing email threads. If such a thread is present, the attacker tries to convince the victim’s correspondents to send funds to accounts controlled by the attacker. Microsoft also found that the attacker deletes the original phishing email to remove a sign of compromise and sets up inbox rules that hide the attacker’s correspondence with financial fraud targets.
This phishing campaign’s ability to bypass MFA measures is alarming, but Microsoft emphasizes that the campaign isn’t leveraging any kind of vulnerability in MFA itself. “[S]ince AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.” MFA still increases security; it simply doesn’t protect against this particular kind of attack.
The phishing campaign targets Outlook email accounts, enabling the attacker to access victims’ financial emails with the purpose of finding ongoing email threads. If such a thread is present, the attacker tries to convince the victim’s correspondents to send funds to accounts controlled by the attacker. Microsoft also found that the attacker deletes the original phishing email to remove a sign of compromise and sets up inbox rules that hide the attacker’s correspondence with financial fraud targets.
This phishing campaign’s ability to bypass MFA measures is alarming, but Microsoft emphasizes that the campaign isn’t leveraging any kind of vulnerability in MFA itself. “[S]ince AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.” MFA still increases security; it simply doesn’t protect against this particular kind of attack.
