Microsoft researchers have uncovered a massive phishing campaign that can steal credentials even if a user has multi-factor authentication (MFA) enabled and has so far attempted to compromise more than 10,000 organizations.
The campaign, which has been active since September 2021, depends upon the use of adversary-in-the-middle (AiTM) phishing sites in the initial attacks to hijack session cookies and steal credentials. From there, attackers can access victims’ user mailboxes to launch further attacks against other targets, the Microsoft 365 Defender Research Team from the Microsoft Threat Intelligence Center (MTIC) wrote in a blog post published Tuesday.
In AiTM attacks, a threat actor deploys a proxy server between a target user and the website the user wishes to visit–that is, the site the attacker wishes to impersonate, researchers explained.
“Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website,” they wrote.
It’s important to point out that this type of attack does not denote a vulnerability in the type of MFA employed by a corporate email system, they added. AiTM phishing steals the session cookie, so the attacker gets authenticated to a session on the user’s behalf regardless of the sign-in method the latter uses, researchers said.
Indeed, attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional.
“While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie–and because the session cookie shows that MFA was already used to login–the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron, security awareness advocate at security awareness training firm KnowBe4, in an email to Threatpost.
AiTM Phishing, Unpacked
In their observation of the campaign, Microsoft researchers took a deeper dive into how these types of attacks work and how they can be used to mount secondary business email compromise (BEC) attacks once initial access to someone’s account is gained, they said.
AiTM phishing attacks depend upon the session that every modern web service implements with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit, researchers explained.
“This session functionality is implemented through a session cookie provided by an authentication service after initial authentication,” they wrote. “The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website.”
In AiTM phishing, an attacker attempts to steal a target user’s session cookie so they can skip the whole authentication process and act as if they are the legitimate authenticated user, researchers said.
“To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around,” they wrote. “This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website).”
This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted.
Specific Attack Vector
In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. The messages claim that the recipients have a voicemail message and need to click on the attachment to access it or it will be deleted in 24 hours.
If a user clicks on the link, they are redirected to a site that tells them they will be redirected again to their mailbox with the audio in an hour. Meanwhile, they are asked to sign in with their credentials.
At this point, however, the attack does something unique using clever coding by automatically filling in the phishing landing page with the user’s email address, “thus enhancing its social engineering lure,” researchers noted.
If a target enters his or her credentials and gets authenticated, he or she is redirected to the legitimate Microsoft office.com page. However, in the background, the attacker intercepts the credentials and gets authenticated on the user’s behalf, providing free reign to perform follow-on activities, researchers said.
In the phishing email chain that researchers observed, the threat actor used the authentication to commit payment fraud in secondary attacks from within the organization, researchers said.
Follow-Up BEC and Payment Fraud
Attackers took less than five minutes after hijacking sessions and stealing credentials to begin the process of conducting payment fraud by authenticating to Outlook to access finance-related emails and file attachments, researchers said. The following day, they accessed these emails and files every few hours to search for opportunities to commit fraud.
The threat actor also deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access, researchers added.
“These activities suggest the attacker attempted to commit payment fraud manually,” they wrote.
Attackers also used Outlook Web Access (OWA) on a Chrome browser to commit payment fraud while using the compromised account’s stolen session cookie, researchers added.
FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.