Protecting against phishing which can bypass MFA

TL; DR

With multi-factor authentication becoming more common, threat actors are varying their previous techniques to successfully bypass it. Follow standard phishing prevention steps (be suspicious of messages you weren’t expecting, look slightly different and those that suggest immediate or prompt action). Microsoft also suggests additional monitoring policies and safeguards (detailed below).

========================

Background

Earlier this month, Microsoft published details of widespread phishing attacks being used by threat actors specifically seeking to bypass multifactor authentication (MFA) of the websites being targeted. More than 10,000 organizations were targeted since September 2021 using this form of attack with phishing attacks doubling in number during the year 2020 (according to Microsoft’s statistics).

How are threat actors bypassing multi-factor authentication using phishing attacks?

The phishing campaigns observed by Microsoft began with the threat actors sending emails to potential victims containing HTML file attachments. The emails claimed a voicemail message had been left and that the message would be deleted in 24 hours if not listened to. If the link within the message is clicked, the user’s credentials are requested and captured by the threat actor.

The user is re-directed to the real office.com website but the credentials have already been captured using an adversary in the middle (AiTM) attack (defined below).

What is an Adversary in the middle (AiTM) attack?

Adversary in the middle (AiTM) attacks are another form of phishing where a proxy server has been placed in between the intended phishing victim and the target website. The proxy server enables a threat actor to capture the victim’s password and the session cookie of the website. These are used to authenticate the victim to the website but can be used by the threat actor to capture the above details without the victim being aware of this (the subtle difference in the website URL is the only difference between the real and fake websites). As Microsoft pointed out, AiTM is not a new technique but was observed in more detail by Microsoft from September 2021.

Why does this work?

To avoid the inconvenience for the user of a website needing to re-authenticate, the website stores a cookie for the length of the user’s session with the website. If a threat actor can steal this cookie using the proxy server, the threat actor then “becomes” the user.

In addition, when the threat actor places the captured session cookie into their browser, it enables them to bypass the authentication process even when MFA is enabled.

Does this mean MFA is not worthwhile?

This is not a vulnerability in MFA. Once the session cookie has been created, the MFA credentials have already been requested and entered successfully to enable the cookie to be created in the first instance.

NIST states MFA is better than passwords and Microsoft points out that the extra security added by MFA is the reason why threat actors are adapting to attempt to bypass it.

How can I protect my organisation or myself from these forms of phishing attacks?

The same forms of recommendations/defences that are successfully at preventing and detecting phishing attacks are also effective for this more recent form of phishing attack. For example, the technique of spearphshing emails documented by the FBI here is used in these attacks. The FBI’s final recommendation of “Be especially wary if the requestor is pressing you to act quickly” also applies here since the emails suggested completing an action within 24 hours.

To better detect and prevent these phishing attacks, please also consider following these suggestions (Source):

1.??????Use conditional access policies: These will seek to check the device or the location being used to access corporate resources and alert if unusual behavior is detected.

2.??????Making certain your web browsers ability to detect phishing websites is enabled (reference links for Mozilla Firefox, Google Chrome, Apple Safari and Microsoft Edge)

3.??????Continuously monitor for the creation of suspicious inbox rules or inboxes being accessed from unusual locations.

Thank you.