"Hackers Target 10,000 Organizations With a New MFA Bypass in Coordinated Phishing Campaign on Office 365 Users"
Microsoft discovered a new Multi-Factor Authentication (MFA) bypass tactic that was used in a coordinated phishing campaign that targeted over 10,000 organizations. According to the company, the attackers used a malicious proxy server to steal login credentials and session cookies as well as hijack the victims' mailboxes. By hijacking and forwarding communication between the user and the target website, the malicious proxy server acted as a conduit or adversary-in-the-middle (AitM). Threat actors then used the compromised accounts to launch Business Email compromise (BEC) attacks and commit payment fraud. BEC attacks trick the target user into transferring money to threat actors' accounts. However, according to Microsoft researchers, the bypass technique is not a vulnerability with MFA. Since AiTM phishing steals the session cookie, the attacker is authenticated to a session on the user's behalf, regardless of the latter's sign-in method. In contrast to traditional phishing attacks, the attacker does not need to have their own phishing site, according to Microsoft. Instead, they use a malicious proxy server to act as the AiTM agent, extracting information, forwarding requests, and displaying the MFA screen to the intended victim. For the target and the actual website, the proxy uses two Transport Layer Security (TLS) sessions. Microsoft warned that open-source tools such as Evilginx2, Modlishka, and Muraena could automate the process. The attackers started by sending phishing emails to many people in various organizations. The emails included an HTML file attachment and a message informing the recipient that a voice message had been left for them. The attachment appeared in the user's browser, with a progress bar indicating that the mp3 message was being downloaded. The progress bar, on the other hand, was hardcoded in the HTML file. The page then redirected the user to another site informing the victim that the audio would be delivered within one hour. By checking a base64 encoded URL parameter, the site confirmed that the user was visiting from the HTML attachment. To gain the user's trust, the phishing site displayed a Microsoft login screen and auto-filled the sign-in form with the user's email address. The phishing site used the organization's branding to proxy the Azure Active Directory (Azure AD). Finally, after authenticating on their behalf and collecting their login credentials and session cookies, the phishing page redirected the user to a legitimate office.com page. Although AiTM is not a new approach, obtaining the session cookie after authentication demonstrates how attackers have evolved and taken steps to circumvent MFA. This article continues to discuss the new MFA bypass tactic used against 10,000 organizations in a coordinated phishing campaign.