A business email compromise scheme targeting CEOs and CFOs using Microsoft Office 365 combines phishing with a man-in-the-middle attack to defeat multi-factor authentication.
These attacks take advantage of a Microsoft 365 design oversight that allows miscreants to compromise accounts with MFA enabled and achieve persistence in victims’ systems by adding a new, compromised, authentication method allowing them to come back at any time. This is according to Mitiga security researchers, who apparently spotted both the campaign and the Microsoft 365 flaw.
“Leveraging this unrestricted access, the attackers monitor the victim’s email accounts until a substantial transaction is about to happen, and then send a fraudulent email requesting a change of the destination bank account to an account in control of the attackers, effectively stealing those funds,” the incident response firm explained, adding:
First, the victim receives a phishing email that looks to be from DocuSign and even has a legitimate “docusign.net” address. Spoiler alert: it’s spoofed. The Mitiga researchers noted that Microsoft did flag this email as a phishing attempt, but it wasn’t blocked due to a misconfiguration in the client environment.
The phony DocuSign email includes a “Review Document” link, which directs the victim to an attacker-controlled server (this one happened to be in Singapore). After clicking on the malicious link, the exec was asked to log into their Microsoft account using their username and password, and received a prompt on their multi-factor authentication device to authorize the login.
In actuality, the username and password had been collected by the server and sent to Microsoft, generating the MFA authorization request that was accepted, logging the user in and generating a session cookie that on its way back to the user from Microsoft was intercepted and used by the evil server in the middle.
This part of the attack likely uses the evilginx2 framework or a similar toolkit for 2FA phishing, the security researchers wrote, noting that Microsoft has previously warned of crooks using this man-in-the-middle technique for financial fraud.
In any case, the miscreants set up a proxy between the victim and Microsoft’s backend systems to gain the necessary credentials and MFA request to masquerade as the mark.
“The victim is prompted with a genuine MFA request on their MFA device,” according to the analysis. “After approving the request, the Microsoft server returns a valid session cookie, which the adversary sniffs and can then use to assume the victim’s session, without needing to re-enter a password or approve an MFA request.”
At this point, the miscreants can login using the session cookie and start snooping around the victim’s Office 365 environment, scanning Outlook emails and SharePoint files. They’re looking for anything to indicate an upcoming transaction — messages, contracts, etc — to ultimately pull off financial fraud.
Additionally, after stealing the victim’s credentials, the malicious site redirects the victim to a fake DocuSign error page with the hope being that the victim won’t realize they fell for a phish and trigger any security mitigations.
This also means the stolen session cookie remains valid, and the attacker can establish persistence in the 365 environment.
As noted earlier, the criminals use a design weakness in 365 MFA to maintain persistence, which allows them to add a new authenticator app connected to the compromised user’s profile without the victim’s knowledge.
Mitiga said it has reached out to Microsoft, but has not yet received a response. As this is not a vulnerability, there was no need to do a preliminary disclosure.
The issue exists because once a session has been authorized via MFA, Microsoft does not require a new MFA challenge for the duration of the MFA token.
So, for the duration of the token, a user (or attacker, in this case) can access and change the user authentication methods in the Security Info section of the account profile, and add an authenticator app that is under their own control without triggering a new MFA challenge.
This means that once an account has been compromised, even for an extremely short period of time, it is possible to create persistency using this technique
“This means that once an account has been compromised, even for an extremely short period of time, it is possible to create persistency using this technique, so an attacker can then re-authenticate with MFA when the session expires or is revoked,” the researchers said.
“It is important to note that even if an organization puts a strict MFA expiration time of one day, it will still not prevent [the creation of a token] for the attacker with this technique.”
A spokesperson for Microsoft declined to answer our questions about the Mitiga research, and instead gave us this canned statement:
“AitM phishing is important to be aware of, and we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. We recommend that customers use Azure AD Conditional Access to set up specific rules for allowed risk levels, locations, device compliance and other requirements to prevent registration of new creds by adversaries.
“Where possible, we also recommend using phishing-resistant credentials like Windows Hello or FIDO. To help protect customers against this type of attack, Authenticator offers context information to warn the user that their location isn’t familiar or that the app isn’t the one they’re expecting. We’re constantly looking at new ways to better resist phishing to help ensure customer safety.” ®