Security researchers have discovered a wide-reaching phishing campaign that attempts to phish for Microsoft email credentials in order to compromise business accounts. Even worse, it can bypass Multi-Factor Authentication (MFA).
Whilst password managers can be used to create passwords long enough to withstand brute-forcing attacks, MFA-busting techniques are starting to become increasingly common.
The threat actor, in this case, is still on the loose and creating malicious domains at a “relentless” pace.
Phishing for a Catch
Researchers from security firm Zscaler noticed a sharp uptick in the number of phishing attempts taking place across specific industries.
All the phishing attacks, according to the security team, began with an email sent to the victim. Some of the malicious links were located in the email copy, whereas others were loaded into a HTML file.
The attackers have set up a number of new domains, many of which use a classic technique from phishing campaigns called typo-squatting (creating a phishing domain that is a legitimate domain name spelled slightly incorrectly). These attacks are targeting end users in Enterprise-level companies.
Once the malicious code gets to work and a given business account is compromised, that same account is then used to send further phishing emails to other business accounts.
Sectors affected include lending, insurance, accounting, and federal credit unions in the US, Australia, UK and New Zealand.
This threat was ongoing when Zscaler published its report less than 48 hours ago. They tracked the threat actor registering domains.
How Is the Threat Actor Bypassing MFA?
MFA can thwart a lot of phishing campaigns because even if the threat actor manages to obtain a person’s account credentials, they can’t get past the MFA barrier.
The threat actors are using what is called an “Adversary in the Middle” (AiTM) technique to bypass MFA, a function of the phishing kits being used here.
The security community is aware of popular AiTM kits that do the rounds, but Zscaler’s team thinks this is a custom kit.
The kits allow the threat actor to operate a proxy in between the person’s device (or the “client) and the mail server they’re sending requests to (hence “in the middle”).
The proxy means the threat actor can relay all the information between the client and the server.
MFA Weaknesses Reinforce Need for Strong Passwords
Multifactor authentication methods, unfortunately, aren’t as secure as they used to be. Hackers and scammers have developed new techniques that are becoming increasingly common to bypass it.
Sim-swapping — the process of impersonating a victim whilst on the phone to their telephone carrier to essentially swap their number to a SIM to your phone, and thus receive their two-factor authentication text — has been one method that hackers have used to steal cryptocurrency.
MFA's fragility places a renewed importance on two things: firstly, training all staff in your organization to be able to spot the telltale signs of a phishing campaign and protect themselves, and secondly, having a sufficiently strong first line of defense: long, unique, diverse passwords.
The best way to ensure everyone in your organization has a strong password is with a password manager. Password managers facilitate the creation of not just sufficiently long, but also completely unique passwords for every site your staff have an account on.
Multi-factor authentication methods are not the silver bullet in the world of account security that many thought they once were. So, make sure to use all the resources at your disposal — it’s better to be safe than sorry.