Microsoft: Phishing bypassed MFA in attacks against 10,000 orgs:
Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims' mailboxes in follow-on business email compromise (BEC) attacks.
The threat actors used landing pages designed to hijack the Office 365 authentication process (even on accounts protected by multifactor authentication (MFA) by spoofing the Office online authentication page.
In some of the observed attacks, the potential victims were redirected to the landing pages from phishing emails using HTML attachments that acted as gatekeepers ensuring the targets were being sent via the HTML redirectors.
After stealing the targets' credentials and their session cookies, the threat actors behind these attacks logged into the victims' email accounts. They subsequently used their access in business email compromise (BRC) campaigns targeting other organizations.
"A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user's sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA)," the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) said.
"The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets."
(Score: 2) by rob_on_earth on Thursday July 14 2022, @10:59AM (1 child)
It was a few years ago, but I got an email spoofed from a Microsoft address that had a link to a Microsoft URL. intrigued I opened it on a VM. It was a Microsoft login window, but something was wrong. The entire UI was constructed of office 365 excel cells and it submitted any details to the built-in Microsoft form recording endpoint.
Never seen or heard of that type of attack before or since.
Best bit of the story is that when I tried to report it Microsoft wouldn't accept one of their own URLs on the abuse form.
(Score: 3, Interesting) by Thexalon on Thursday July 14 2022, @04:34PM
It might not have been a Microsoft page, though: One of the common features of more sophisticated phishing attacks is to take advantage of Unicode code points that yield what looks like the real domain name even though it isn't. That's part of why current advice is to go to the site you want to interact with directly in your browser, rather than following any link in an email.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Touché) by digitalaudiorock on Thursday July 14 2022, @11:22AM
So what they're saying is that maybe we should be running the software on our own computers and opening up files locally. What a novel idea.
(Score: 3, Interesting) by datapharmer on Thursday July 14 2022, @04:57PM
This isn't surprising given Microsoft's ability to filter phishing messages on o365 is non-existent. And by that, I mean it isn't physically possible as an administrator to do it effectively. Case in point, I had a customer getting lots of legitimate looking phishing spam (Microsoft login forms and such). These passed filters by using the html soft hyphen () to break up the text or used css encoding techniques to reverse rendering direction within the string. These are things normal emails wouldn't have, but microsoft mail filtering rules won't let you save non-printing ascii characters to the mail rules set, so you literally can't block or flag these based on the characters in them without using 3rd party mail filtering. When you report it to them they flag them on a case by case basis but don't solve the actual underlying problem.
(Score: 2) by darkfeline on Friday July 15 2022, @08:36AM (1 child)
This attack only works for "fake" MFA (that is, "MFA" not satisfying the requirements of two or more different factors: e.g., "something you know+something you own"). FIDO/hardware keys are not affected, as per the promise of MFA (it's not possible to be compromised without physically robbing you of your key or compromising the service itself).
Your email is not "something you own". Your phone number is not "something you own". Both are knowledge factors ("something you know") with some sprinkles on top. Combined with your password (which is also a knowledge factor), you still only have a single factor. If you care, you should try to upgrade to a hardware key when possible.
Join the SDF Public Access UNIX System today!
(Score: 1, Interesting) by Anonymous Coward on Friday July 15 2022, @07:55PM
In most of the real world lots of people forget their passwords and lose/break their stuff at the same time. So they call support to help them get/break into their own account.
And support generally lets them do it. Because there too many people like that.
So hackers could do the same thing - call support and break into the account.
The phone number stuff is popular because most people have phone numbers AND the big corporations (and their customers - CIA/FBI/NSA etc ) want to know "everyone's" "real" phone numbers.
(Score: 3, Insightful) by Dr Spin on Friday July 15 2022, @09:07AM
If they cared about security, they would not be using Microsoft products.
Warning: Opening your mouth may invalidate your brain!