Ongoing phishing campaigns can hack you even if you are protected with MFA

Ongoing phishing campaigns can hack you even if you are protected with MFA

Getty Images

On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts if they are protected with multi-factor authentication measures to prevent such takeovers. The threat actors behind the operation, which have targeted 10,000 organizations since September, have used their covert access to victims’ email accounts to trick employees into sending money to the hackers.

Multi-factor authentication — also known as two-factor authentication, MFA, or 2FA — is the gold standard for account security. It requires the account user to prove their identity in the form of something they possess or control (a physical security key, a fingerprint, or a face or retina scan) in addition to something they know (their password). As the growing use of MFA has hampered account takeover campaigns, attackers have found ways to fight back.

The adversary in the middle

Microsoft observed a campaign in which an attacker-controlled proxy site was inserted between the account users and the worker server they were attempting to log in to. When the user entered a password into the proxy site, the proxy site sent it to the real server and then forwarded the real server’s response back to the user. After authentication was complete, the threat actor stole the session cookie that the legitimate website had sent, so the user doesn’t have to be re-authenticated on each new page visited. The campaign started with a phishing email with an HTML attachment that led to the proxy server.

The phishing website that intercepts the authentication process.
Enlarge / The phishing website that intercepts the authentication process.

“Our observation is that after a compromised account’s initial login to the phishing website, the attacker used the stolen session cookie to authenticate to Outlook online (,” said members of the Microsoft 365 Defender research team and the Microsoft Threat Intelligence Center wrote in a blog entry. “In several cases, the cookies had an MFA claim, meaning the attacker used the session cookie to gain access on behalf of the compromised account, even if the organization had an MFA policy.”

In the days following the cookie theft, attackers accessed employee email accounts looking for messages they could use in business email compromise scams that tricked targets into transferring large sums of money into accounts that they believed belonged to employees or business partners. The attackers used these email threads and the hacked employee’s fake identity to persuade the other party to make a payment.

To prevent the hacked employee from discovering the compromise, the attackers created inbox rules that automatically moved certain emails to an archive folder and marked them as read. Over the next few days, the attacker logged in regularly to check for new emails.

“Once the attacker ran multiple fraud attempts simultaneously from the same compromised mailbox,” the blog authors wrote. “Every time the attacker found a new fraud target, they would update the inbox rule they created to include the corporate domains of those new targets.”

“>Overview of the phishing campaign and subsequent BEC scam.<br />” src=”×370.png” width=”640″ height=”370″ srcset=”https:/ / 2x”/></a><figcaption class=
Enlarge / Overview of the phishing campaign and subsequent BEC scam.


It’s so easy to fall for scammers

The blog post shows how easy it can be for employees to fall for such scams. The sheer volume of email and the workload often make it difficult to tell if a message is authentic. Using MFA already signals that the user or organization is practicing good security hygiene. One of the few visually suspicious elements of the scam is the domain name used on the proxy site’s landing page. However, given the opacity of most organization-specific login pages, even the sketchy domain name is not a surefire sign.

Example of a phishing landing page
Enlarge / Example of a phishing landing page


Nothing in Microsoft’s narrative should suggest that providing MFA isn’t one of the most effective ways to prevent account takeovers. However, not all MFAs are created equal. One-time authentication codes, even if sent via SMS, are far better than nothing, but they endure through more exotic abuses of the SS7 protocol used to send text messages.

That most effective form of MFA Available are those that conform to the standards set by the industry FIDO Alliance. These types of MFA use a physical security key, which can come as a dongle from companies like Yubico or Feitian, or even as an Android or iOS device. Authentication can also be done through a fingerprint or retina scan, both of which never leave the end-user device to prevent the biometric data from being stolen. What all FIDO-compliant MFAs have in common is that they cannot be phished and use back-end systems that are resistant to these types of ongoing campaigns.

Latest articles

Related articles

Leave a reply

Please enter your comment!
Please enter your name here