[German]A small follow-up on security for online accounts using two-factor authentication (2FA). Microsoft's security teams have encountered a large-scale AiTM phishing campaign that attempted to attack more than 10,000 organizations since September 2021. The campaign involved stealing passwords, hijacking the user's login session and skipping the authentication process. This was true even if the user had multifactor authentication (MFA) enabled. The attackers then used the stolen credentials and session cookies to access the affected users' mailboxes and conduct further business email compromise (BEC) campaigns against other targets.
2FA is considered the "gold standard" in many circles, where little can go wrong. At least it gives the feeling of being "well secured". In 2020 I had introduced a book title Buch: Hacking Multifactor Authentication within my German blog on December 2020. The book quite clearly shows that even MFA can be hacked or leveraged somehow. Quote from my blog post at the time:
There are good news and a lot of bad news. The good news is that there is now a book that describes the various ways to bypass security features and hack systems. The bad news, after cross-reading the book, is that everything is hackable and multifactor authentication is often not worth the paper the term is printed on. The only thing security managers can do: Look at the potential avenues of attack and eliminate or mitigate the potential points of failure or vulnerability to the best of their ability.
This was immediately in the back of my mind when I saw the first reports on the above-mentioned problem the other day, because the article From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud by the Microsoft 365 Defender Research Team dates back to July 12, 2022.
The topic has been picked up in IT media in recent days, see e.g. The Hacker News, Bleeping Computer (referring to ZScaler's findings) and others. A blog reader had also pointed out the issue in the discussion section (thanks for that).
Big AiTM phishing campaign
In very brief, Microsoft came across the large-scale phishing campaign that used AiTM (Adversary-in-the-Middle) phishing sites via its (Defender) telemetry. With AiTM (Adversary-in-the-Middle), attackers insert a proxy server between a target user and the website the user wants to visit. ZScaler, cited by Bleeping Computer, found that typo domains are registered for this purpose, but they don't have to be.
Phishing Landing Page, Source: Microsoft
The phishers then send out phishing emails in a campaign that directs the user to the proxy site in question, where the credentials and session cookies of the real target site are ripped off. Using the session cookie stolen via AiTM phishing, the attacker can authenticate for a session on behalf of the user. This is regardless of which login method the user uses, so even 2FA doesn't help.
The primary target (according to ZScaler) is likely companies that use Microsoft email services, with industries such as FinTech, banking, insurance, energy, and manufacturing in regions such as the U.S., U.K., New Zealand, and Australia cited as targets. This campaign began in July 2022 and is arguably still active. In some cases, executives' business emails were compromised by this phishing attack and later used to send more phishing emails as part of the same campaign.
This attack is not new, but Microsoft's post analyzed the modus operandi along with the tricks used, as well as the attackers' follow-up activities. The attackers targeted cloud accounts in order to compromise them for their own purposes. Microsoft writes that Microsoft 365 Defender can detect suspicious activity related to AiTM phishing attacks and their follow-up activities and, if necessary, prevent the stealing of authentication data (cookies).
However, to further protect against similar attacks, Microsoft suggests that organizations should also consider supplementing MFA with conditional access policies, which evaluate login requests based on additional identity-related signals such as user or group membership, IP location information and device status, etc.
Cookies helps to fund this blog: Cookie settings