attack bypasses two-factor authentication

Microsoft has just discovered a campaign of identity fraud (or phishing) that targets companies and has already targeted more than 10,000 organizations since September 2021. Thanks to a sophisticated technique, the perpetrators can access the accounts of the victims, even if they have activated theLa sophistication des techniques de vol de…” data-image=”” data-url=”” data-more=”Lire la suite”>Two Factor Authentication. The campaign was detected by Microsoftwho has published a report on your site.

Usually attacks of the type identity fraud trust a fake site, which looks as much like the real one as possible, with a fake login page that sends the credentials to the author. This new attack is much more sophisticated because it displays the real site through a proxy. It is more specifically aimed at users ofOffice 365 mimicking the Office login page.

Cookie theft to bypass multi-factor authentication

Victims receive an email containing a file HTML As an attachment. This is, for example, a message telling them that they have received a voice message. The victim clicks to open the attachment in the browser, which redirects them to the fake site that asks them to log in. The HTML file also transmits the email address to the fake site, which is then pre-populated to better reassure and mislead the victim. So far, nothing very surprising. What changes from classic attacks is the use of a proxy. The fake site creates two sessions, one with the victim and one with the copied site, and streams the pages. Thus, the only difference between the real site and the site of identity fraud it’s the address.

The victim is identified and their information is transmitted to the original site. If you have multi-factor authentication enabled, it will work as usual. The site then sends a session cookie, copied by the fake site and transmitted to the victim. Finally, the victim is redirected to where they are identified thanks to this cookie.

The goal of hackers is precisely the session cookie. This is an element used by all websites to justify that the user is already authenticated. This avoids having to ask for your password every time you navigate from one page to another. In this case, hackers can use the stolen session cookie to access the victim’s account without ever having to identify themselves, and thus without facing the two-factor authentication request.

Access to perform manual fraud

The phishing campaign it is only half of the attack. The authors then used the access to proceed to fraud in payments Microsoft found that less than five minutes after obtaining the session cookie, hackers broke into the victim’s Outlook account looking for exchanges on invoices or payments. Once a target has been located, they are free to reply to the last message received and attempt to scam this new victim by demanding payment. Therefore, this second part of the attack is carried out completely manually. In order not to be detected by the mailbox owner, the hackers added a filter in panorama which archives any response from the correspondent and then deletes any sent email.

To protect yourself, Microsoft advises companies to set up conditional access, based, for example, on the location of IP adress or the status of the device used. On the user side, a password manager should be enough to avoid falling victim to this type of attack.

Future reading ideas for summer?

To celebrate the start of the holidays, we offer you the Mag Futura at the preferential price of €15 instead of €19, that is, a 20% discount !

What is Future Mag?

  • Our first paper magazine with more than 200 pages to make science accessible to as many people as possible
  • 4 big scientific questions by 2022, from the Earth to the Moon
  • Home delivery*

*Special offer valid until July 19. Delivery takes place in France (except metropolitan France), Switzerland, Belgium.

Are you interested in what you just read?

Leave a Comment