Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organisations, but was also capable of circumventing multi-factor authentication (MFA) defences.
The attackers used AiTM (Attacker-in-The-Middle) reverse-proxy sites to pose as Office 365 login pages which requested MFA codes, and then use them to log into the genuine site.
According to Microsoft’s detailed report on the campaign, once hackers had broken into email inboxes via the use of stolen passwords and session cookies, they would exploit their access to launch Business Email Compromise (BEC) attacks on other targets.
By creating rules on victims’ email accounts, the attackers are able to then ensure that they are able to maintain access to incoming email even if a victim later changes their password.
The global pandemic, and the resulting increase in staff working from home, has helped fuel a rise in the adoption of multi-factor authentication.
Cybercriminals, however, haven’t thrown in the towel when faced with MFA-protected accounts. Accounts with MFA are certainly less trivial to break into than accounts which haven’t hardened their security, but that doesn’t mean that it’s impossible.
Reverse-proxy phishing kits like Modlishka, for instance, impersonate a login page, and ask unsuspecting users to enter their login credentials and MFA code. That collected data is then passed to the genuine website – granting the cybercriminal access to the site.
As more and more people recognise the benefits of MFA, we can expect a rise in the number of cybercriminals investing effort into bypassing MFA.
Microsoft’s advice is that organisations should complement MFA with additional technology and best practices.
These include enabling conditional access policies (for instance, testing that logins are coming from trusted IP addresses and compliant devices), the deployment of anti-phishing defences at the email and web gateways, detection of unusual mailbox activity (such as the creation of suspicious inbox rules, and logins with unusual characteristics.)
More technical information about the attacks can be found in Microsoft’s report.
“While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security,” said Microsoft. “MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place.”
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.