Phishing: Office 365 accounts hacked despite MFA

Microsoft security researchers have uncovered a large-scale phishing campaign that compromises Office 365 accounts despite multi-factor authentication. According to the experts, over 10,000 companies have been attacked since September 2021.


As part of the phishing campaign uncovered by Microsoft, HTTPS proxy techniques are used to use hacked Office 365 accounts. In some cases, attackers even succeed in bypassing multi-factor authentication (MFA) using man-in-the-middle techniques. More than 10,000 companies have already been attacked since September 2021, as the US technology company announced on its blog in mid-July.

The campaign in question is apparently aimed at CEO fraud (also: Business Email Compromise, BEC for short). The e-mail accounts of high-ranking employees or company management are misused in order to get other employees of the same company or external business partners to initiate fraudulent money transfers.


Action of the hackers

According to Microsoft experts, victims receive deceptive emails with a malicious HTML file attached. If they open the alleged voice message, users are redirected to a page on which a fake download progress bar is running. The victims believe they are downloading an MP3 file, but what is actually called is a fake login page that is similar to Office 365.

The victim’s email address is used to silently initiate the sign-in process to the victim’s real Office 365 account. The e-mail address is filled in automatically on the manipulated registration page, which means that the users do not become suspicious. However, since the phishing site acts as a proxy, it forwards the manually entered password to the legitimate Office 365 site. The MFA prompt requested by the website will then appear in real time.

The aim of the attackers is to intercept the session cookie – a unique identifier that websites set in browsers once an authentication process has been successfully completed and which recognizes users.


Recommendations for action

As the Microsoft experts also emphasize, MFA implementation remains a key pillar of identity security. Multi-factor authentication is still very effective in stopping a variety of threats. According to Microsoft, this effectiveness is also the reason why AiTM phishing first appeared in the first place.

Organizations can make their MFA implementation “phishing-resistant,” according to security researchers, by using solutions that support the Fido 2 standard (Fast ID Online) and use a hardware token or the fingerprint sensor of the smartphone or PC for identification.

Source: Microsoft Security Blog