Microsoft disclosed a large-scale phishing campaign against 10,000 organizations using Office 365
Microsoft disclosed on Tuesday a large-scale phishing campaign even on accounts secured with multi-factor authentication (MFA) targeting over 10,000 organizations by hijacking Office 365’s authentication process since 2021.
Microsoft’s cyber security team reported that the attacker stole credentials and session cookies to gain access to victims’ emails in order to target more with follow-on business email compromise (BEC) campaigns. The security researchers observed that they can use one network to target many by setting up adversary-in-the-middle (AitM) phishing sites which helps the adversary to position itself between two or more networked devices with the support of follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.
The attackers usually deploy a proxy server between the potential victim and the targeted webpage from which they want to collect information. When the victim falls for the phishing email the victim lands on a lookalike of the targeted webpage that is designed to steal credential information.
The company said, “The phishing page has two different Transport Layer Security (TLS) sessions — one with the target and another with the actual website the target wants to access.”
Microsoft has also explained the way attackers bypass multi-factor authentication. According to the company, the attackers inject cookies into the victim’s browser to circumvent the authentication process regardless of whether they have enabled MFA or not.
Microsoft said, ” The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website. In AitM phishing, an attacker attempts to obtain a target user’s session cookie so they can skip the whole authentication process and act on the latter’s behalf.”
The company further stated that the attackers used Outlook Web Access (OWA) on a Chrome browser to perform the activities for Microsoft Office 365 users. After performing the activity they have also deleted the original phishing email and the follow-on communications with more targets both from Archive and Sent emails.
Eruch Kron, an security awareness advocate said recently in the wake of these attacks, “Attacks like this are becoming more common as organizations and individuals enable multi-factor authentication (MFA) on accounts in order to better secure them.”
However, the major tech company Microsoft has taken considerable precautions to avoid such types of attacks in the future.
