Security News > 2022 > July > Large-Scale Phishing Campaign Bypasses MFA

AiTM phishing steals the session cookie, so the attacker gets authenticated to a session on the user's behalf regardless of the sign-in method the latter uses, researchers said.

Attackers are getting wise to organizations' increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional.

"While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie-and because the session cookie shows that MFA was already used to login-the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password," observed Erich Kron, security awareness advocate at security awareness training firm KnowBe4, in an email to Threatpost.

This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted.

In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations.

In the phishing email chain that researchers observed, the threat actor used the authentication to commit payment fraud in secondary attacks from within the organization, researchers said.

News URL

https://threatpost.com/large-scale-hishing-bypasses-mfa/180212/