Microsoft warns of large-scale AiTM phishing attacks on more than 10,000 organizations


Microsoft announced Tuesday that a large-scale phishing campaign has targeted more than 10,000 organizations since September 2021 by hijacking the Office 365 authentication process, even on accounts protected with multi-factor authentication (MFA).

“The attackers then used the stolen credentials and session cookies to access the affected users’ mailboxes and conduct follow-up corporate email compromise (BEC) campaigns against other targets,” the company’s cybersecurity teams said. reported

The breaches involve setting up adversary-in-the-middle (AitM) phishing sites, where the attacker deploys a proxy server between a potential victim and the targeted website, so that recipients of a phishing email are redirected to similar landing pages that are designed to capture credentials and MFA information.

“The phishing page has two different Transport Layer Security (TLS) sessions: one with the target and another with the actual website that the target wants to access,” the company explains.

“These sessions mean that the phishing page practically functions as an AitM agent, intercepting the entire authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies.”

Armed with this information, the attackers injected the cookies into their own browsers to bypass the authentication process, even in scenarios where the victim had MFA security enabled.

The phishing campaign spotted by Microsoft was orchestrated to differentiate Office 365 users by spoofing Office’s online authentication page, with the actors using the Evilginx2 phishing kit to carry out the AitM attacks.

This included sending bait emails with a voice message marked as very important, tricking recipients into opening malware-laden HTML attachments that redirected to the landing pages that steal credentials.

To complete the ruse, the users were eventually redirected to the legitimate office[.]com website after authentication, but not before the attackers used the aforementioned AitM approach to transfer the session cookies and take control of the compromised account.

The attacks didn’t end there, as the threat actors misused their mailbox access to commit payment fraud by using a technique called email thread hijacking to trick parties on the other end of the call into illegally transferring money to accounts under their control.

To further mask their communication with the fraud target, the threat actors also created mailbox rules that automatically moved any incoming email with the relevant domain name to the “Archive” folder and marked it as “read”.

“It only took five minutes after credential and session theft for an attacker to begin their follow-up payment fraud,” Microsoft noted.

The attackers allegedly used Outlook Web Access (OWA) on a Chrome browser to perform the fraudulent activity, while also extracting the original phishing email and subsequent communication targeting both the account’s Archive from the Inbox folder from the account. and Folder Sent Items to clear tracks.

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations have put in place to defend themselves against potential attacks,” the researchers said.

“While AiTM phishing attempts to evade MFA, it is important to underline that MFA implementation remains a vital pillar in identity security. MFA is still highly effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing originated in the first place.”

The findings come when a group of researchers from Stony Brook University and Palo Alto Networks demonstrated a new fingerprinting technique late last year that makes it possible to identify AitM phishing kits in the wild using a tool called PHOCA.

“Attacks like this are becoming more common as organizations and individuals are enabling multi-factor authentication (MFA) on accounts to make them more secure,” Erich Kron, security awareness advocate at KnowBe4, said in a statement.

“To protect against the phishing emails that trick victims into clicking a link, organizations should train employees in identifying and reporting phishing, and regularly test them with simulated phishing attacks to practice these skills. how to identify fake login pages will greatly reduce the risk of entering the login credentials and session cookies.”