Microsoft discovered a new MFA bypass tactic hackers used to target over 10,000 organizations in a coordinated phishing campaign.
The company explained that the attackers deployed a malicious proxy server to steal login credentials and session cookies and hijack the victims’ mailboxes. The malicious proxy server was a conduit or adversary-in-the-middle (AitM) by hijacking and forwarding communication between the user and the target website.
Subsequently, the threat actors used the compromised accounts to execute business email compromise (BEC) attacks and commit payment frauds. BEC attacks trick the target user into transferring money to accounts controlled by the threat actors.
However, Microsoft researchers asserted that the bypass technique is not a vulnerability with MFA.
Fraudsters monitored email threads for potential targets
According to Microsoft, the attackers accessed business emails “every few hours” after compromising the account and monitored business email threads to find potential targets. The activities suggest that the attacker attempted to commit payment fraud manually.
Once they identified a target, they replied to the conversation while covering their tracks by deleting email messages with phishing domain URLs. They achieved this by creating inbox rules. Additionally, they regularly logged in to the compromised account using stolen session cookies to check whether the target had replied to their emails.
Protecting against MFA bypass phishing campaign
The researchers recommended “continuous monitoring of email activities such as sign-in attempts, change of inbox rules, email access events, and logged-in devices and their IP addresses.
To protect against the phishing emails that trick the victims into clicking on a link, organizations should train employees on how to identify and report phishing and should test them regularly with simulated phishing attacks that allow them to practice these skills. In addition, educating users on how to identify fake login pages will greatly reduce the risk of giving up the credentials and session cookie”.
