Executive Summary

Microsoft has released information on a new phishing campaign involving “adversary-in-the-middle” AiTM techniques, which has affected more than 10,000 organisations since September 2021. What is unique about this particular attack method is that it has the potential to bypass Multi-Factor Authentication (MFA). It is important to note that this attack does not make use of a vulnerability within MFA, and that MFA is still a key control in preventing credential compromise.

What’s the risk to me or my business?

As more organisations implement security controls such as MFA, malicious actors will be looking into possibilities of targeting these controls. This particular attack technique involves a proxy server being deployed in between the recipient and a valid targeted website. In short, a targeted user would receive a phishing email, the link to the phishing email would resolve in a valid website, with the traffic being re-directed through the server of a malicious actor. This allows the malicious actor to steal “authenticated session cookies”, after the user has logged into the valid website. The malicious actor can then use the authenticated session cookies to access the valid website with the targeted users credentials, which can then lead to further attacks such as Business Email Compromise as shown in the diagram below.

Figure 1: Overview of AiTM phishing campaign and follow-on BEC (Microsoft 365 Defender Research Team, 2022)

What can I do?

Microsoft recommends implementing conditional access policies, which can limit user access in different scenarios, such as only allowing access to trusted locations, compliant devices or trusted IP addresses. This would prevent a stolen session cookie from granting access to an account outside of these conditions. Anti-Phishing solutions can also be used to block phishing emails from arriving in end-users inboxes, however it is worth noting that these solutions may not be able to block every threat. Where possible, security monitoring should be in place to detect suspicious sign-in attempts, and unusual mailbox activities including external forwarding, rule creation and access from untrusted IP addresses or devices.

It is also critically important that technical controls such as MFA are supplemented with end-user training, including Phishing simulations as it is the primary ingress point for this type of attack.

Technical Summary

Microsoft has published a full breakdown of sample attacks that they have monitored. So far they have followed the following process:

1.       An attacker sends emails containing an HTML file attachment, stating that a voicemail has been received on their Microsoft account. This email follows the same template which is received when a user receives a voicemail via Microsoft Teams.

2.       The user clicks on the HTML attachment, which takes them to a website displaying the mp3 file being downloaded. No actual download takes place, but a progress bar is updated.

3.       The user is then re-directed to a gatekeeper, which confirms that the user has clicked on the html attachment.

4.       The user arrives at a proxied version of the Microsoft Azure Active Directory login page. It is important to note that if an organisation has customised this landing page with their corporate logo then this will also be displayed, making the website seem even more legitimate.

5.       The user enters their credentials which are then authenticated by Microsoft. If MFA is enabled, the user would be prompted for MFA at this stage.

6.       The user is re-directed to the official Microsoft 365 website, while the authenticated session cookies are captured by the attacker, also allowing them into the official Microsoft 365 website.

7.       Microsoft’s research has then shown that the stolen session is used for Business Email Compromise (BEC) attacks, targeting finance related emails within the targeted users inbox to request fraud payments. At this stage however a malicious attacker also has potential to access any 365 service which the targeted user has access to.

Appropriate conditional access controls could prevent an attacker at step 6 from using the stolen cookies to access the targeted users Microsoft 365 account.

A full breakdown of this particular phishing campaign is available here: From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud - Microsoft Security Blog

Need help understanding your gaps, or just want some advice? Get in touch with us.

References

Microsoft 365 Defender Research Team. (2022, 07 19). From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud. Retrieved from Microsoft 365 Defender Research Team Security Blog: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/