If our sessions don’t expire, what is the purpose of having an MFA?
Microsoft claims hackers can access Outlook email accounts even if they are secured by multi-factor authentication.
In 2021, the company’s cybersecurity teams from the Threat Intelligence Center and the Microsoft 365 Defender Research Team discovered a new large-scale phishing attempt that targeted over 10,000 organizations.
The hacked email accounts were then utilized in business email compromise (BEC) attacks. These attacks rob the victim’s business partners, clients, and customers.
Stealing session cookies
A phishing email is sent to the target with a link to access their Outlook account. However, the link would take users to a proxy site that appeared to be similar to the original one. When the victim tries to log in, the proxy site allows it, passing all of the data through.
The attacker takes the session cookie once the victim had completed the authentication procedure. As users don’t have to reauthenticate for every page they visit. Meanwhile, the hacker has complete access.
According to Microsoft when an affected account logs into the phishing site for the first time, the attacker utilizes the stolen session cookie to authenticate to Outlook online. More often the cookies contained MFA claims. This implies that even if the business had an MFA policy, the attacker exploited the session cookie to acquire access on behalf of the affected account.
After gaining access to the email account the attackers then proceed with targeting the contacts in the inbox. They use these stolen identities in an attempt to deceive them into transferring payments of varying sums.
The attackers set up inbox rules on the endpoint like marking their emails as read by default and quickly transferring them to the archive. It’s done to ensure that the victim is unaware that their email accounts are being misused. They would also check their emails regularly.
One creative attacker completed numerous fraud attempts at the same time from the same hacked email. Every time the crook discovered a new target, they would update the rule they developed to add this new organization’s domains to the list.