+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Phishing Attacks That Can Bypass MFA

A large-scale phishing attack campaign has emerged using adversary-in-the-middle (AiTM) to steal credentials and circumvent multi-factor authentication (MFA) needs. Microsoft have released a security blog post regarding the use of these phishing attacks and the impersonation of Microsoft Azure Active Directory (Azure AD) login pages. This campaign has reportedly targeted over 10,000 organisations in the last 10 months, and phishing attacks in general remain the most common forms of cyber-attack, reported last month as making up 56% of all reported cyber-crime. 

As with many other phishing attacks, initial access is obtained by the attackers through a malicious email, with a link to a HTML file attachment. This attachment impersonates an MP3 file, claiming to be a voicemail sent by Microsoft. Clicking the attachment feigns a download of this ‘voicemail’, but the download bar is actually a part of the HTML code, and no download is occurring. Instead, the victim is then redirected to a phishing page which impersonates a Microsoft Azure AD login. The only noticeable difference between the phishing page and the website it is impersonating is the URL, and if the target is using a login associated with an organisation that has enabled branding on Azure AD login pages, then these same branding elements will be seen on the phishing site, further selling the scam.  

This AiTM attack uses a malicious proxy server to host this impersonation of an official Azure AD login page, which captures the credentials of the user as they attempt to log in, and then redirects them to the legitimate website. The attack utilises multiple transport layer security (TLS) sessions to relay information between the phishing page and the legitimate site. The phishing site impersonates all stages of the login process, including MFA requests, so when the user enters this authentication and their login attempt is successful, the proxy site can capture a session cookie as proof of authentication. These session cookies exist as a way for legitimate sites to track user sessions after initial authentication is complete so that they are not asked to re-authenticate on each new page visited. The attacker can then use the stolen cookie to skip the entire authentication process, including MFA requirements, to gain access to the victim’s mailbox. 

After this initial access is established, the attacker can begin a payment fraud scheme, in which they target the contacts of the user they have compromised. Business email compromise (BEC) is a term used to describe these sorts of attacks, where a legitimate contact is impersonated in order to request the transfer of funds in a less easily identifiable manner. Social engineering techniques are usually implemented to further manipulate target individuals into thinking the requests they are receiving are legitimate and result in a successful pay-out for the attackers. Active email threads with financial content are targeted, with the aim of getting funds to be transferred into the attacker’s accounts, such as through the use of fake invoices.  

To cover up the evidence of this attack taking place, the malicious actor establishes mailbox rules, that archive the replies to their threads to help avoid detection by the user. They also delete their sent messages, and the initial phishing message, including removing them from the ‘Deleted messages’ folder. The attacker can inject the same session cookie into their browser to visit as many times as they want and skip the authentication process each time, so they can check every few hours to see if their payment fraud target has replied to their email. In most cases, the fraudulent emails are believed to be sent manually by individual attackers, and usually to more than one target at a time. The attacker simply edits the inbox rules each time they target a new organisation so that all replies from this domain are also archived, to continue to avoid detection.  

This AiTM attack is particularly dangerous even to companies with high security practices because it successfully circumvents the implementation of MFA in these situations. What was previously thought to be an essential layer of defence in authentication security can now be bypassed by malicious individuals. Establishing multiple layers of security such as through the defence in depth model of information security planning can help to protect your business even when one area (such as MFA in this case) becomes compromised. Regular staff training including effective education about how to spot phishing attacks can help to reduce the likelihood of these attacks being successful within your organisation. Identification of the initial phishing message with the HTML attachment being malicious, or noticing the incorrect URL on the redirected login page 

However, this AiTM phishing attack is a very specific form of attack, and using MFA continues to be effective at preventing many other potential threats, such as brute force attacks. It is also possible to increase the security of MFA and making it more ‘phish-resistant’. A recommendation from Microsoft on how to do this is to establish conditional access policies in addition to MFA requirements. This allows an additional layer of security by including device identifiers in the authentication process. This could help to prevent AiTM phishing attacks from being successful as the captured cookie would not be able to be used to prove authentication due to the attacker’s device address or IP location being different to those authorised by the conditional access requirements.  

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.