Security News > 2022 > July > This big phish can swim around MFA, says Microsoft Security
Once the attacker has the stolen credentials and session cookies, they can access the victim's email boxes and run a business email compromise campaign, in this case payment fraud, according to Microsoft security researchers.
"While AiTM phishing isn't new, our investigation allowed us to observe and analyze the follow-on activities stemming from the campaign - including cloud-based attack attempts - through cross-domain threat data from Microsoft 365 Defender," researchers from the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center wrote in a blog post.
While MFA is another layer of protection against credential theft being adopted, criminals also are developing ways to bypass it, including AiTM attacks.
Erich Kron, security awareness advocate for KnowBe4, told The Register that such attacks will become more common as organizations embrace MFA. "While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie - and because the session cookie shows that MFA was already used to login - the attackers can often circumvent the need for MFA when they log into the account again later using the stolen password," Kron said.
"In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account," The analysts wrote.
For days after stealing the cookie, the attacker got into finance-related emails and file attachments every few hours and searched for outgoing email threads to find any that could be using in payment fraud schemes.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/07/13/aitm-phishing-microsoft/
Related news
- Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others (source)
- Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others (source)
- Microsoft disables BitLocker security fix, advises manual mitigation (source)
- Microsoft: Enable MFA or lose access to admin portals in October (source)
- Microsoft security tools questioned for treating employees as threats (source)
- Microsoft hosts a security summit but no press, public allowed (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes (source)
- MFA bypass becomes a critical security issue as ransomware tactics advance (source)