A very important phishing campaign targets Microsoft customers and more particularly Office 365 users. The operating mode used by cybercriminals makes it possible to circumvent multi-factor authentication (MFA). Explanations.
According to security researchers at Microsoft, this phishing campaign has already targeted more than 10,000 companies since September 2021 ! From a compromised e-mail account, hackers send phishing e-mails to other employees of the company, but also to external partners, with the aim of obtaining fraudulent payments. When a new email account is compromised, it in turn is used to deliver malicious emails.
Following the analysis carried out by Microsoft, we learn that the e-mails sent as part of this phishing campaign contain a malicious HTML attachment. In some cases, and this is not new, the e-mail tells the user that they have received a new voicemail message and that they should consult the attachment. When this page is opened, a pseudo-loading page is displayed, before redirecting the user to an Office 365 login page.
Where the technique used by hackers is clever and formidable is that the malicious site set up serves as an HTTPS proxy. In other words, when the user navigates to the malicious page, these are information obtained from the real Microsoft site that is displayed, in real time. The cybercriminals’ site, as an HTTPS proxy, is positioned between two: the principle of an attack man in the middle.
Through this method, the connection can be made with Microsoft services, up to the MFA stage (if the feature is activated). So, if the user completes the authentication process, the hacker can retrieve the user’s login cookie ! Microsoft clarifies:In several cases, the cookies attested to an MFA request, meaning that even though the company had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account“.
Some second factors are vulnerable to this attack, including SMS and email code, which is not the case with methods based on the FIDO 2 standard, such as YubiKeys. Despite everything, it remains interesting to set up the MFA because it makes it possible to eliminate a large number of attacks and to protect against traditional methods, such as brute force. In addition, Microsoft recommends setting up Conditional Access rulesfor example.
Although the domain name is not Microsoft’s and corresponds to the domain name set up by cybercriminals, several elements reassure the user:
- When he finds himself in front of the Office 365 login page, his e-mail address is already filled in, as when he is on the official site
- The Office 365 login page that is displayed shows the graphic elements specific to the company (if any), in particular the background image
- The connection to the malicious site is secured using the HTTPS protocol
If necessary, I invite you to read my tutorial on configuring MFA on Office 365.