A phishing and business email compromise (BEC) campaign that attempts to steal millions of dollars from victims is targeting Microsoft 365 accounts with attacks that can bypass multi-factor authentication (MFA).
The attacks target the cloud-based Office 365 accounts of executives – mainly CEOs and CFOs – in order to send fraudulent emails requesting financial transfers to be made, by sliding into ongoing, legitimate email conversations about business deals, but with a fraudulent request for payment.
The attackers change the bank details so that they receive the payment if the transfer is approved. Researchers say the attackers behind this campaign are attempting to steal millions of dollars in each transaction.
However, the attack detailed by researchers wasn't successful, as the intended victims noticed something was wrong and investigated the incident, providing insight into how BEC attacks are evolving to get by hardened defences.
These attacks begin with specially-crafted phishing emails designed for the executives of the organisations being targeted.
These are designed to look like legitimate documents from DocuSign, but if the victim clicks on the malicious link, they're taken to what appears to be a Microsoft 365 login page. It looks legitimate and if the user enters their details, they provide the attacker with their username and password.
This attack also uses proxy servers that sit between the client and the real Microsoft server, allowing it to secretly bypass MFA. This is achieved when the victim is asked to confirm their MFA request on their device, returning a valid session cookie – with the attacker using the proxy server to take control of the victim's session without reentering a password or MFA request.
With these permissions, the attacker can set up a second MFA authentication app for themselves, without the knowledge of the original user, providing the attackers with full persistence on the compromised account and the ability to monitor emails and other activity.
It's this approach that allowed the attackers to send a reply to real correspondence about a transaction and attempt to redirect a payment to their own account. The attackers weren't successful at receiving a transfer, but the incident demonstrates how BEC and other cyber-criminal schemes are evolving.
"Cyberattacks are a business – and they can't give up their income just because someone built a new security control. MFA seemed like a great control against phishing attacks, and was so for a while, as the attackers just opted to go after those who did not have it in place. But now that it's widespread, the attackers developed technologies to overcome this," Ofer Maor, CTO at Mitiga, told ZDNET.
"This is why security is an ongoing process and needs to continue to evolve as attackers are evolving, and it is why organizations need to stay ahead of the curve as far as their security, so that the majority of attacks will not focus on them."
Mitiga researchers also recommend that account security is tied to specific, authorised computers and phones, which can help prevent cyber criminals compromising accounts for cloud applications and services from another location.
"AitM phishing is important to be aware of and we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers," a Microsoft spokesperson told ZDNET.
"We recommend that customers use Azure AD Conditional Access to set up specific rules for allowed risk levels, locations, device compliance and other requirements to prevent registration of new credentials by adversaries. Where possible, we also recommend using phishing-resistant credentials like Windows Hello or FIDO," they added.