This Microsoft phishing campaign can hack you, even if you have MFA
What good is MFA if your session doesn’t expire?
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Hackers are able to hijack Outlookemailaccounts even if they’re protected by multi-factor authentication,Microsofthas warned.
The company’s cybersecurity teams from the Threat Intelligence Center, and the Microsoft 365 Defender Research Team haveuncovereda new large-scale phishing campaign that targeted more than 10,000 businesses in the past year.
The compromised email accounts are later used for business email compromise (BEC) attacks, in which the victim’s business partners, clients, and customers, end up being defrauded for their money.
Stealing session cookies
The victim would receive a phishing email, with a link to log into theirOutlookaccount. That link, however, would lead them to a proxy site, seemingly identical to the legitimate one. The victim would try to log in, and the proxy site would allow it, sending all of the data through.
However, once the victim completes the authentication process, the attacker would steal the session cookie. As the user doesn’t need to be reauthenticated at every new page visit, that gives the threat actor full access, as well.
“From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com),” Microsoft’s blog post said. “In multiple cases, the cookies had anMFAclaim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account.”
After getting hold of the email account, the attackers would proceed to target the contacts in the inbox, using thestolen identitiesto try and trick them into sending payments of various sizes.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
These are the best malware removal tools right now>Everything you need to know about phishing>This Facebook Messenger phishing scam may have trapped millions of users
To make sure the original victim stays oblivious to the fact that their email accounts are being abused, the attackers would set up inbox rules on theendpoint, marking their emails as read by default, and moving them to archive, immediately. The attackers would check the inbox every couple of days, it was said.
“On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox,” Microsoft says. “Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets' organization domains.”
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Your next smartwatch could be battery-free – and powered by your skin
