Microsoft has just discovered a campaign of phishing (or phishing) which targets companies and has already targeted more than 10,000 organizations since September 2021. Thanks to a sophisticated technique, perpetrators can break into victims’ accounts, even if they have activated thetwo-factor authentication. The campaign was detected by Microsoftwho has published a report on his site.
Usually, type attacks phishing rely on a fake site, which looks as close to the real one as possible, with a fake login page that sends credentials to the author. This new attack is much more sophisticated because it displays the real site through a proxy. It is more specifically aimed at users ofOffice 365 mimicking the Office login page.
Cookie theft to avoid multi-factor authentication
Victims receive an email containing a file HTML as an attachment. This is, for example, a message telling them that they have received a voice message. The victim clicks to open the attachment in the browser, which redirects to the fake site that asks them to log in. The HTML file also transmits the e-mail address to the fake site, which is then pre-filled, in order to reassure and better deceive the victim. So far, nothing very surprising. What changes from classic attacks is the use of a proxy. The fake site creates two sessions, one with the victim, and one with the copied site, and relays the pages. Thus, the only difference between the real site and the site of phishing is the address.
The victim identifies himself, and his information is relayed to the original site. If she has multi-factor authentication enabled, it will work as usual. The site then sends back a session cookie, copied by the fake site and transmitted to the victim. Finally, the victim is redirected to office.com where he is identified thanks to this cookie.
The target of hackers is precisely the session cookie. This is an element used by all websites to justify that the user is already authenticated. This avoids having to ask him for his password each time he navigates from one page to another. In this case, hackers can use the stolen session cookie to access the victim’s account without ever having to identify themselves, and therefore without being confronted with the request for two-factor authentication.
Access to carry out manual fraud
The phishing campaign is only half of the attack. The authors then used the access to proceed to fraud on payments. Microsoft detected that less than five minutes after obtaining the session cookie, the hackers broke into the victim’s Outlook account looking for exchanges regarding invoices or payments. Once a target has been located, they are free to respond to the last message received and attempt to scam this new victim by demanding payment. This second part of the attack is therefore carried out entirely manually. In order not to be spotted by the owner of the mailbox, the hackers added a filter in Outlook which archives any response from the correspondent, then deleted any e-mail sent.
To protect himself, Microsoft advises companies to set up conditional access, based for example on the location of IP address or the status of the device used. On the user side, a password manager should suffice to avoid falling victim to this kind of attack.
Reading ideas for the summer with Futura?
To celebrate the start of the holidays, we offer you the Mag Futura at the preferential price of 15 € instead of 19 €, i.e. a reduction of 20% !
What is Mag Futura?
- Our first paper journal of more than 200 pages to make science accessible to as many people as possible
- 4 major scientific questions for 2022, from the Earth to the Moon
- Home delivery*
*Special offer valid until July 19. Delivery is made in France (excluding metropolitan France), Switzerland, Belgium.
Interested in what you just read?