Microsoft said more than 10,000 organisations have been targeted by the campaign, which uses a fake website to steal credentials and session cookies, letting an attacker skip authentication safeguards.
Microsoft security researchers have warned about a large-scale phishing campaign that can hijack Office 365 user accounts even when they’re protected with multifactor authentication (MFA).
This campaign has attempted to target more than 10,000 organisations since September 2021, according to Microsoft’s threat data.
Researchers said attackers are using stolen credentials and session cookies to access a victim’s mailbox and perform follow-on campaigns against other targets.
In recent years, organisations have upped their security practices in the form of MFA, as relying on a single factor such as a password alone can be weak for many reasons.
However, Microsoft said this cybercrime campaign is managing to circumvent the security measure through adversary-in-the-middle (AiTM) phishing.
In these cases, the attacker deploys a proxy server between a target user and the website the user wishes to visit. Microsoft said this impersonation lets the attacker steal both the user’s password during a sign-in session and the session cookie that proves their ongoing and authenticated session with the website.
Microsoft said these session cookies allow the attacker to skip the entire authentication process. The company noted that this is not a vulnerability of MFA itself.
“Since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses,” Microsoft said in a blogpost.
In this phishing campaign, Microsoft found that attackers were targeting Office 365 users by spoofing the Office online authentication page. The company noted that these proxy sites are difficult to spot, as the URL is the only visible difference between the phishing site and the actual one.
Once the threat actors gained access, they were able to get into employee email accounts and trick targets into sending large sums of money, which the victims think is being sent to co-workers or business partners.
To avoid detection, the attackers would also set up inbox rules so certain emails would be automatically moved to an archive folder and marked as read. They also deleted their own emails from the sent items folder.
“On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox,” Microsoft said. “Every time the attacker found a new fraud target, they updated the inbox rule they created to include these new targets’ organisation domains.”
Microsoft said organisations should consider complementing MFA protection with additional identity-driven signals such as user or group membership, IP location information and device status.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.