Hackers are attempting to steal millions of dollars from businesses by bypassing multi-factor authentication

Cybersecurity researchers detail a BEC scam targeting high-level Microsoft Office 365 accounts, even if they're protected with MFA.
Written by Danny Palmer, Senior Writer
Image: Getty

A phishing and business email compromise (BEC) campaign that attempts to steal millions of dollars from victims is targeting Microsoft 365 accounts with attacks that can bypass multi-factor authentication (MFA). 

Applying multi-factor authentication (MFA) is one of the best things that can be done to help secure user accounts from being compromised – but as with any other cybersecurity measure, malicious hackers are attempting to find ways to get around it

An example of this has been detailed by cybersecurity researchers at Mitiga, who uncovered a campaign combining phishing with attacker-in-the-middle (AiTM) attacks to circumvent MFA.  

SEE: The biggest cyber-crime threat is also the one that nobody wants to talk about

The attacks target the cloud-based Office 365 accounts of executives – mainly CEOs and CFOs – in order to send fraudulent emails requesting financial transfers to be made, by sliding into ongoing, legitimate email conversations about business deals, but with a fraudulent request for payment. 

The attackers change the bank details so that they receive the payment if the transfer is approved. Researchers say the attackers behind this campaign are attempting to steal millions of dollars in each transaction. 

In many cases of BEC fraud – which costs victims a combined total of billions of dollars – the scam isn't noticed until it's too late and the attackers have made off with the money.  

However, the attack detailed by researchers wasn't successful, as the intended victims noticed something was wrong and investigated the incident, providing insight into how BEC attacks are evolving to get by hardened defences. 

These attacks begin with specially-crafted phishing emails designed for the executives of the organisations being targeted.  

These are designed to look like legitimate documents from DocuSign, but if the victim clicks on the malicious link, they're taken to what appears to be a Microsoft 365 login page. It looks legitimate and if the user enters their details, they provide the attacker with their username and password. 

This attack also uses proxy servers that sit between the client and the real Microsoft server, allowing it to secretly bypass MFA. This is achieved when the victim is asked to confirm their MFA request on their device, returning a valid session cookie – with the attacker using the proxy server to take control of the victim's session without reentering a password or MFA request. 

With these permissions, the attacker can set up a second MFA authentication app for themselves, without the knowledge of the original user, providing the attackers with full persistence on the compromised account and the ability to monitor emails and other activity. 

It's this approach that allowed the attackers to send a reply to real correspondence about a transaction and attempt to redirect a payment to their own account. The attackers weren't successful at receiving a transfer, but the incident demonstrates how BEC and other cyber-criminal schemes are evolving. 

SEE: Hackers are finding ways around multi-factor authentication. Here's what to watch for

"Cyberattacks are a business – and they can't give up their income just because someone built a new security control. MFA seemed like a great control against phishing attacks, and was so for a while, as the attackers just opted to go after those who did not have it in place. But now that it's widespread, the attackers developed technologies to overcome this," Ofer Maor, CTO at Mitiga, told ZDNET. 

"This is why security is an ongoing process and needs to continue to evolve as attackers are evolving, and it is why organizations need to stay ahead of the curve as far as their security, so that the majority of attacks will not focus on them."

Mitiga has contacted Microsoft about the attacks.

MFA is still a vital tool for helping to protect users and organisations from cyberattacks, but additional steps can be taken to boost security and keep accounts safe.  

Mitiga researchers also recommend that account security is tied to specific, authorised computers and phones, which can help prevent cyber criminals compromising accounts for cloud applications and services from another location. 

"AitM phishing is important to be aware of and we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers," a Microsoft spokesperson told ZDNET.

"We recommend that customers use Azure AD Conditional Access to set up specific rules for allowed risk levels, locations, device compliance and other requirements to prevent registration of new credentials by adversaries. Where possible, we also recommend using phishing-resistant credentials like Windows Hello or FIDO," they added.


Editorial standards