A sophisticated phishing campaign is being conducted to steal Microsoft 365 credentials that bypasses multifactor authentication on accounts. Attacks on Microsoft 365 users are far from uncommon. With so many businesses using Microsoft 365, it is an attractive target for hackers. If they can develop a campaign that bypasses Microsoft’s security controls, huge numbers of businesses can be attacked. Microsoft 365 credentials are valuable. They provide an attacker with access to email accounts, and often other Microsoft products such as SharePoint, OneDrive, and Skype. A successful attack on just one Microsoft 365 user can give the attacker access to huge amounts of sensitive data and provide a foothold in the network for a much more extensive attack.
One of the latest campaigns spoofs DocuSign – a platform used by organizations to manage electronic agreements. The email requests feedback on a document, with the message crafted to look like a genuine email sent through DocuSign. This campaign appears to be a spear phishing attack, which targets executives at businesses. If the link is clicked, the user will be directed to a malicious URL where they are required to log in with their Microsoft 365 credentials. The website appears to be the genuine Microsoft login page, and if credentials are entered, they are captured. The user is then presented with a notice advising them that the authentication has failed and will likely be unaware that credentials have been stolen.
Stealing credentials alone may not be enough to gain access to Microsoft 365 accounts, as multifactor authentication may have been enabled. This is strongly encouraged by Microsoft to prevent stolen credentials from being used by unauthorized individuals to access accounts. To get around this, this campaign involves the use of a reverse proxy in a man-in-the-middle attack. The web page linked in the email used the evilginx2 proxy. When the credentials are entered on the fake login page they are fed to the genuine Microsoft 365 login, unbeknown to the victim. The session cookie from the successful login attempt is stolen and is used to assume the identity of the victim. That cookie means credentials do not need to be re-entered and no further multifactor authentication requests need to be approved.
This technique provides immediate access to the account, but the attackers go a step further to achieve persistent access. They add a secondary authentication app, which allows them to continue to access the account without going through the process again when the session expires or is otherwise revoked. This attack was investigated by Mitiga, which reports that the attackers used the compromised credentials to access SharePoint and Exchange, but they could have accessed other services had the attack not been detected and resolved quickly.
This attack shows how multifactor authentication can be bypassed. In this case, had multifactor authentication been used that requires an authorized device to be used to access the account, or a physical device such as a Yubikey for multifactor authentication, then the attack could have been thwarted.
These attacks can be difficult to identify, although in this case the initial email could have been blocked if DMARC had been correctly set up to block emails from domains not associated with the brand being spoofed. SpamTitan Incorporates DMARC controls for email authentication. End user training is also vital. All members of the workforce should be trained on how to recognize the signs of phishing. TitanHQ can assist in this regard through the SafeTitan security awareness and phishing simulation platform.