Yesterday, Microsoft disclosed a large-scale phishing campaign that targeted over 10,000 organizations since September 2021 by hijacking Office 365’s authentication process even on accounts secured with multi-factor authentication (MFA).
"The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets," said Microsoft.
The intrusions entailed setting up adversary-in-the-middle (AitM) phishing sites, wherein the adversary deploys a proxy server between a potential victim and the targeted website so that recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA information.
To gain initial access, the threat actors sent emails containing voice message-themed lures that were marked with high importance. The email messages informed victims that they had a new voice message, enticing them to open a malicious HTML file attachment. Opening the HTML file would redirect the victim to a redirector site with the following message “You will be redirected back to your mail box with audio sent in 1 hour… Sign-In to continue.” The redirection site eventually led the victim to an Evilginx2 phishing site that proxied Microsoft’s login page, prompting the victim to enter their credentials. “Once the target entered their credentials and got authenticated, they were redirected to the legitimate office.com page,” said Microsoft.
“The phishing page has two different Transport Layer Security (TLS) sessions — one with the target and another with the actual website the target wants to access. "These sessions mean that the phishing page practically functions as an AitM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies."
The stolen credentials would then be used by the threat actors to authenticate to Outlook online. Since the credentials included session cookies, even if the victim had MFA enabled, the attackers could still gain access to the compromised account.
“Based on our analysis of Microsoft 365 Defender threat data and our investigation of related threat alerts from our customers, we discovered that it took as little time as five minutes after credential and session theft for an attacker to launch their follow-on payment fraud."
Tips for Mitigation:
- Do not open emails or download software from untrusted sources
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
- Always verify the email sender's email address, name, and domain
- Backup important files frequently and store them separately from the main system
- Protect devices using antivirus, anti-spam and anti-spyware software
- Report phishing emails to the appropriate security or I.T. staff immediately