Security News > 2022 > July > This big phish can swim around MFA, says Microsoft Security
Once the attacker has the stolen credentials and session cookies, they can access the victim's email boxes and run a business email compromise campaign, in this case payment fraud, according to Microsoft security researchers.
"While AiTM phishing isn't new, our investigation allowed us to observe and analyze the follow-on activities stemming from the campaign - including cloud-based attack attempts - through cross-domain threat data from Microsoft 365 Defender," researchers from the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center wrote in a blog post.
While MFA is another layer of protection against credential theft being adopted, criminals also are developing ways to bypass it, including AiTM attacks.
Erich Kron, security awareness advocate for KnowBe4, told The Register that such attacks will become more common as organizations embrace MFA. "While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie - and because the session cookie shows that MFA was already used to login - the attackers can often circumvent the need for MFA when they log into the account again later using the stolen password," Kron said.
"In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account," The analysts wrote.
For days after stealing the cookie, the attacker got into finance-related emails and file attachments every few hours and searched for outgoing email threads to find any that could be using in payment fraud schemes.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/07/13/aitm-phishing-microsoft/
Related news
- Microsoft Entra "security defaults" to make MFA setup mandatory (source)
- Black Basta operators phish employees via Microsoft Teams (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Microsoft Ignite 2024 Unveils Groundbreaking AI, Security, and Teams Innovations (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)
- Microsoft announces new and improved Windows 11 security features (source)
- Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity (source)
- Security? We've heard of it: How Microsoft plans to better defend Windows (source)
- Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks (source)