A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked sign-in sessions and skipped the authentication process even if MFA was enabled, according to a new report.
The AiTM phishing campaign has targeted more than 10,000 organizations since September 2021, according to Microsoft, which has detailed the threat in a new blog. In one example, the attacker sent emails including an HTML file attachment to multiple recipients in different organizations, informing them they had a voice message.
The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform business email compromise campaigns against other targets, according to Microsoft’s 365 Defender Research Team.
Forming the basis of a vast number of cyber-incidents, phishing is “one of the most common techniques” used by attackers to gain initial access to organizations, Microsoft said, citing figures from its 2021 Microsoft Digital Defense Report, which showed phishing attacks doubled in 2020.
While MFA is being used by an increasing number of firms to boost security, Microsoft warns that it isn’t infallible. “Unfortunately, attackers are also finding new ways to circumvent this security measure,” the 365 Defender Research Team said.
The latest attack sees adversaries deploy a proxy server between a target user and an impersonated website. This allows the attacker to intercept the user’s password and the session cookie that proves their ongoing and authenticated session with the website. “Since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses,” Microsoft explained.
It’s “interesting” that attackers are leveraging phishing techniques to harvest session cookies as well as credentials, said independent security researcher Sean Wright. “These attacks show the importance of well-established security controls alongside features like MFA and encrypted communications, such as HTTPS.”
Wright advises using FIDO-based security tokens where possible “since these have a proven track record in preventing phishing attempts.”
In addition, Microsoft suggests organizations complement MFA with conditional access policies. This sees sign-in requests evaluated using additional identity-driven signals such as user or group membership, IP location information and device status.
Erich Kron, security awareness advocate at KnowBe4, advised organizations to train employees on how to identify and report phishing and test them regularly with simulated phishing attacks. In addition, educating users on how to identify fake login pages “will greatly reduce the risk of giving up the credentials and session cookies.”