10,000 Firms are the target of a phishing campaign that sidesteps multi-factor authentication.

by | Feb 25, 2023

Microsoft has released information about a massive phishing effort that was able to defeat Multi-Factor Authentication (MFA) defenses in addition to attempting to obtain the credentials of targeted organizations. Attackers pretended to be Office 365 login pages that sought MFA codes via reverse-proxy AiTM (Attacker-in-the-Middle) sites, and then used those codes to connect into the legitimate site.

According to Microsoft’s thorough analysis of the campaign, after hackers had gained access to email inboxes using session cookies and stolen passwords, they would take advantage of their position to initiate Business Email Compromise (BEC) assaults on more targets. Attackers can guarantee that they continue to have access to incoming email even if a victim changes their password by setting restrictions on the victims’ email accounts.

The worldwide epidemic and the consequent surge in employees working remotely have accelerated the implementation of multi-factor authentication.

When faced with MFA-protected accounts, cybercriminals haven’t given up, though. MFA-enabled accounts are undoubtedly more difficult to hack than accounts with weak protection, but it doesn’t imply it’s impossible.

In order to trick users into providing their login information and MFA codes, reverse-proxy phishing kits like Modlishka, for example, imitate a login page. The data is subsequently sent to the legitimate website, giving the hacker access to it.

It is anticipated there will be an increase in the amount of cybercriminals putting effort towards MFA bypass as more and more individuals become aware of the benefits of MFA.Microsoft advises businesses to combine MFA with other technologies and industry best practices.

These include establishing conditional access regulations, deploying anti-phishing defenses at email and web gateways, and monitoring odd mailbox behavior, for example, checking that logins are coming from trusted IP addresses and compliant devices (such as the creation of suspicious inbox rules, and logins with unusual characteristics.)

The report from Microsoft has further technical details regarding the attacks.

Although AiTM phishing tries to get around MFA, Microsoft emphasized that the use of MFA is still a crucial component of identity protection. MFA is still quite efficient at preventing a range of attacks, which is why AiTM phishing initially appeared.