Security News > 2020 > May > Clever Phishing Attack Bypasses MFA to Nab Microsoft Office 365 Credentials
A new phishing campaign can bypass multi-factor authentication on Office 365 to access victims' data stored on the cloud and use it to extort a Bitcoin ransom or even find new victims to target, security researchers have found.
The attack is different than a typical credential harvester in that it attempts to trick users into granting permissions to the application, which can bypass MFA, he said.
The most basic attack can steal all the victims' email and access cloud hosted documents containing sensitive or confidential information.
Applications that want to access Office 356 data on behalf of a user do so through Microsoft Graph authorizations, but must first obtain an access token from the Microsoft Identity Platform, Hernandez explained.
The entire URL used in the attack includes key parameters that show how the attacker can trick a victim into giving a rogue application permissions to access his or her account.
News URL
https://threatpost.com/phishing-campaign-allows-for-mfa-bypass-on-office-365/155864/
Related news
- Fake Microsoft Office add-in tools push malware via SourceForge (source)
- Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails (source)
- Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets (source)
- Ukrainian military targeted in new Signal spear-phishing attacks (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- Microsoft’s new AI agents take on phishing, patching, alert fatigue (source)
- After Detecting 30B Phishing Attempts, Microsoft Adds Even More AI to Its Security Copilot (source)
- Microsoft: New Windows scheduled task will launch Office apps faster (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)