Security News > 2022 > July > This big phish can swim around MFA, says Microsoft Security

Once the attacker has the stolen credentials and session cookies, they can access the victim's email boxes and run a business email compromise campaign, in this case payment fraud, according to Microsoft security researchers.

"While AiTM phishing isn't new, our investigation allowed us to observe and analyze the follow-on activities stemming from the campaign - including cloud-based attack attempts - through cross-domain threat data from Microsoft 365 Defender," researchers from the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center wrote in a blog post.

While MFA is another layer of protection against credential theft being adopted, criminals also are developing ways to bypass it, including AiTM attacks.

Erich Kron, security awareness advocate for KnowBe4, told The Register that such attacks will become more common as organizations embrace MFA. "While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie - and because the session cookie shows that MFA was already used to login - the attackers can often circumvent the need for MFA when they log into the account again later using the stolen password," Kron said.

"In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account," The analysts wrote.

For days after stealing the cookie, the attacker got into finance-related emails and file attachments every few hours and searched for outgoing email threads to find any that could be using in payment fraud schemes.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/13/aitm-phishing-microsoft/