Another phishing attack that bypasses multi-factor authentication targets Microsoft email users

Martin Brinkmann
Aug 4, 2022
Security
|
9

Cybersecurity research analysts at Zscaler have uncovered a new large-scale phishing campaign targeting Microsoft email users. The main targets of the campaign are corporate users, specifically end users in Enterprise environments that use Microsoft email services.

aitm phishing campaign
image credit: Zscaler

The attackers use so-called Adversary-in-The-Middle (AiTM) techniques to bypass multi-factor authentication (MFA) protections. Microsoft published information about a similar attack in early July. The attack that Microsoft described targeted more than 10,000 organizations, and used AiTM techniques to bypass MFA protections.

Zscaler describes the new attack as highly sophisticated. It "uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication" and "multiple evasion techniques used in various stages of the attack designed to bypass conventional email security and network security solutions".

The majority of organizations targeted by the malicious campaign are based in the United States, United Kingdom, New Zealand, and Australia. The main sectors are FinTech, Lending, Finance, Insurance, Accounting, Energy, and Federal Credit Union industries.

ADVERTISEMENT

The attack begins with phishing emails being sent out to Microsoft email addresses. Everything depends on these phishing emails and users interacting with them. Malicious emails may contain a direct link to a phishing domain or HTML attachments that contain the link. In any event, it is necessary that the user activates the link to start the infection chain.

Similarly to the phishing campaign that Microsoft described earlier, phishing emails in the uncovered campaign use various topics to get the attention of users. One email suggested that it contained an invoice for review, another that a new document was received that needed to be viewed online.

The campaign uses several redirection techniques. For example, it used the legitimate CodeSandbox service in the campaign to "rapidly create new code pages, paste into them a redirect code with the latest phishing site’s URL, and proceed to mail the link to the hosted redirect code to victims en masse".

The phishing sites used fingerprinting techniques to determine whether the page visitor is a targeted victim of the campaign or someone else. Zscaler believes that this is done to make it more difficult for security researchers to access the phishing sites.

Proxy-based AiTM phishing attacks sit between the user's device and the target service. They control the flow of data and manipulate it. In the end, it is grabbing session cookies generated during the process to access the email service without having to sign-in again or complete the sign-in process using MFA.

Conclusion

Phishing campaigns do get more sophisticated all the time, but a common ground for most of them is that they do require user activity. Experienced users know how to analyze emails to find out if they come from a legitimate sender, but the majority of users don't have these skills.

Now You: do you analyze emails before you open links or attachments?

Summary
Another phishing attack that bypasses multi-factor authentication targets Microsoft email users
Article Name
Another phishing attack that bypasses multi-factor authentication targets Microsoft email users
Description
Cybersecurity research analysts at Zscaler have uncovered a new large-scale phishing campaign targeting Microsoft email users.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. ECJ said on August 4, 2022 at 2:58 pm
    Reply

    “…AiTM phishing attacks complete the authentication process with the actual mail provider’s server (in this case – Microsoft), unlike traditional credential phishing kits. They achieve this by acting as a MiTM proxy and relaying all the communication back-and-forth between the client (victim) and the server (mail provider).”

    The sooner multi-device FIDO credentials (passkeys) is rolled out and gains widespread adoption, the better. With FIDO, the phishing attempt in this attack would not be possible.

  2. jan said on August 4, 2022 at 5:32 pm
    Reply

    Now You: do you analyze emails before you open links or attachments?

    Yes, surely. I only look at mails from known senders and only when I expect to get a mail. I know when I typically receive my invoice from the elec/gas company of the telephone. Any mail at a different time is already suspicious. Mail telling me about my ebox I neglect and I go myself to the ebox directly and not via the link in the mail.

    I know I might look like a suspicious old man but it has served me well

    1. Martin Brinkmann said on August 4, 2022 at 7:55 pm
      Reply

      The approach makes a lot of sense. Unfortunately, it is still too easy to trick users into clicking on links and executing attachments in emails.

      1. jan said on August 4, 2022 at 8:18 pm
        Reply

        True, and things get more complicated; there is no easy receipy anymore.
        I live in Belgium and Telenet is my ISP.
        Recently I got a mail from sender [email protected]. You could assume it came from a Telent customer. Wrong, it was a scam. So “@telenet.be” has been plugged in somehow to make it look like as if.
        The very same happens for fake mails from the government.
        Sometimes being prudent is not enough, only paranoia seems to work!

  3. GGmaS said on August 4, 2022 at 9:30 pm
    Reply

    I never click on attachments in emails. I go to the site separately, then click on any messages there. If no messages I know the email is Phishing and report it. My problem with some of these emails is that they’ve done something to stop me from Blocking such as the current ones I’ve been getting from Facebook. I have Never had a FB acct so I know these are phishers, but they are persistent.

  4. Clairvaux said on August 4, 2022 at 9:48 pm
    Reply

    It seems to me home users have the advantage here. First of all, they are less targeted. This is an attack on businesses. More importantly, it’s relatively easy to acquire the necessary knowledge in order to detect at least most of the phishing attempts (admittedly, some of them are quite sophisticated).

    However, in a company, it’s a given that at least some users, some of the time, will fall prey to phishing. It’s not their computer system, they did not set it up, they have a job to do and someone else is responsible for network security.

    I wonder whether there has been any scientific research on this.

    1. jan said on August 7, 2022 at 11:05 am
      Reply

      I think that (larger) companies need to shield their internal network(s) from the outside world. Receiving info should be prevented, only sending out is possible.
      All incoming mail goes into a separate screening department for review and check on virus etc.
      Expensive? Yes

  5. TelV said on August 8, 2022 at 12:24 pm
    Reply

    I always check the headers before even opening such an email. Anything in the headers (Ctrl + U to open) that doesn’t add up means it gets deleted forthwith.

  6. Rex said on August 12, 2022 at 10:53 am
    Reply

    “In any event, it is necessary that the user activates the link to start the infection chain.”
    Yawn. Yet to see any sort of attack that doesn’t depend on any sort of user interaction. Let me know if there’s anything comparable to the silent drive-by malware installs that plagued IE6 on Windows XP in the early 2000s.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.