According to a recent post from Microsoft, a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Based on our threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.
“Data security vendors try to make protecting enterprise data fool-proof. However, no matter how intelligent and automated we make our solutions, threat actors always seem to find a way through them. Microsoft detailing how phishing attacks bypassed 2FA is yet another example of how ingenious threat actors can be. This incident highlights the importance of having a robust security strategy. Organizations need to “Assume Breach” and prepare for the worst. “Assume Breach” is a cybersecurity approach that deals primarily with mindset. To Assume Breach is to treat all accounts as unsecured and already been compromised. Also, implementing zero-trust philosophy is a great way to mitigate risk. With this “Never Trust, Always Verify” Policy, an organization can improve its cybersecurity strategy through Perimeter-less security and network micro-segmentation.
And finally, organizations should invest in data-centric security. Data-centric security means applying technologies such as encryption and tokenization to all sensitive data, wherever it is across the distributed IT environment. By doing so, organizations effectively render it useless to any threat actor. That means, in the likely event they manage to bypass some security controls and access data stores—whether as part of a data heist or a ransomware attack—the impact will be minimal.”
“The increase in cases of phishing attacks highlights just how sophisticated these threats are becoming in order to circumvent both people and processes. Training of staff will help avoid falling victim to these attacks, but that needs to be backed up by systems and processes that prevent or limit damage when the attacks break through (as they will, given the volume of attacks issued and human fallibility). All organisations should remove local admin permissions from end-users to prevent malware installation (but do it in a way that doesn’t stop them from doing their work), and users should never have direct access to either valuable corporate IT systems or the admin accounts on those systems.”
“Most of us receive several phishing emails every week, and research shows that between 5%-30% of these emails are opened. The result is that 36% of all breaches are done through phishing methods. There is a huge amount of advice on this very serious threat, which begs the question: Why are we still susceptible to this tactic?
The only reliable way to spot a spoofed Office online authentication page is to check the URL which is why email recipients are more likely to be deceived by a phishing email read on a smartphone than a desktop machine. Other risk factors are time pressure and organisational change which makes it harder to discern whether the context of the email is appropriate.
Ultimately, it is a matter of judgement as to whether an email with web links or attachments presents a security risk. By understanding the indicators of compromise, you can protect yourself and your organization from infection, and more importantly, preserve your electronic freedom.”
“Freely available tools, such as evilginx2, can be used to hijack accounts from a whole range of online services even if MFA is configured. The skill level required to operate such tools isn’t all that high. The author of EvilGinx has weighed in on Microsoft’s report (
) noting that the responsibility to prevent reverse-proxy phishing attacks against their users falls on Microsoft’s shoulder and that other vendors, such as Google, have implemented mechanisms to prevent them.
As login sessions are often short-lived an attacker must enter a hijacked session at the time it’s created or shortly thereafter. The attacker may also need to manually interact with the account after gaining access – which was indeed the case in reports detailed by Microsoft. However, it can be noted that an adversary could automate actions against a stolen session (such as harvesting all emails) without the need for manual interaction.
We’ve recently observed spear phishing campaigns that were used to gain access to email accounts of high-profile individuals such as military personnel, government officials, and journalists for political purposes. However, the campaign described by Microsoft appears to be financially motivated and thus is likely to be the work of regular cyber criminals.”
“This incident goes to show that not all MFA is created equal, and hits home at just how easily many can be sidestepped. Large-scale campaigns, like this one, happen because they are so fruitful, and the pool of targets ripe for the picking is immense. However, the bottom line is they shouldn’t be happening. Organisations must use phishing-resistant MFA techniques that include device security posture as part of their access strategy, which is consistent with the United States government’s advisory to all federal agencies back in January; some have woken up to the dangers, but it’s time the rest of the world follows suit.”