Security researchers from Microsoft have uncovered a large-scale phishing campaign that uses HTTPS proxying techniques to hijack Office 365 accounts.
The attack is capable of bypassing multi-factor authentication (MFA) and has targeted over 10,000 organisations since September 2021.
The goal of the campaign seems to be business email compromise (BEC), a type of attack where an employee's email account is used to trick other employees from the same organisations or external business partners to initiate fraudulent money transfers.
According to the FBI's Internet Crime Complaint Center (IC3), BEC attacks have led to over $43 billion in losses between June 2016 and December 2021.
The power of adversary-in-the-middle (AiTM) phishing
The attacks observed by Microsoft started with victims receiving rogue emails carrying malicious HTML attachments. Some emails posed as voicemail notifications and directed users to open the attachments, which redirected them to pages simulating a download progress, but which then redirected them again to a rogue Office 365 login page.
While this seems like a typical phishing attack, the backend implementation is what makes them different.
First, the user's email address is encoded in the URL of the redirect page and is used to pre-populate the login field on the phishing pages. Second, the phishing pages themselves act as a proxy and pull their content in real time from the legitimate Office 365 login page.
The phishing pages were hosted on HTTPS-enabled domain names, some of which had names impersonating Microsoft services.
Essentially the victim's browser established a TLS connection with them and the page established a TLS connection with the real login site. Because of the email address being filled in automatically, the attackers were able to display the custom branded Office 365 login pages that the victims were used to seeing for their own organisations, making the attack more believable.
Since the phishing page acted as a proxy it forwarded the credentials inputted by the user to the legitimate Office 365 site and then displayed in real time the MFA prompt requested by the website. The goal was to complete the login process in real time and capture the user's session cookie.
The session cookie is a unique identifier set by websites in browsers once an authentication process has been completed successfully to remember the user as they browse through the website without asking them to authenticate again.
"From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com)," the Microsoft researchers said in their report. "In multiple cases, the cookies had an MFA claim, which means that even if the organisation had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account."
This man-in-the-middle web-based phishing technique against authentication systems is not new and there are several open-source toolkits that allow attackers to easily automate such phishing attacks. The toolkit used in this case is called Evilginx2 and has been around since 2018.
It's worth noting that not all types of MFA can be circumvented by AiTM techniques. Solutions that conform to the FIDO 2 standard and rely on a key fob connected to the computer or a fingerprint sensor in a mobile device cannot be proxied in this manner.
Even if the SMS-based or code-based solutions are vulnerable, using any form of MFA is always better than not using it at all since there are a variety of less sophisticated attacks that will be blocked, like credential stuffing and other forms of password theft.
Microsoft also recommends enabling conditional access policies that check for compliant devices or trusted IP addresses before completing authentication, as well as continuously monitoring for suspicious logins from unusual locations, ISPs, or with non-standard user agents.
From phishing to BEC
Following a successful compromise, attackers searched the victim's inbox for email threads mentioning financial transactions or invoices that they could insert themselves in and start impersonating the victim.
Once they identified such a thread or a fraud target based on past communications, they crafted an email to that person or entity in the name of the email account owner and set up an email filtering rule that automatically marked as read any future replies from that correspondent and archived it.
They also deleted the messages they sent from the drafts, sent and junk folders and kept checking in every few hours to check the archive folder for replies.
"On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Every time the attacker found a new fraud target, they updated the inbox rule they created to include these new targets organisation domains."
In some instances, the attackers took as little as five minutes to identify a potential fraud victim they could trick and start messaging them from the compromised email. Sometimes the back-and-forth communications lasted for days and there are signs the fraud was performed manually.
Microsoft recommends that organisations set up policies to monitor inbox rules that could have suspicious purposes or to trigger alerts for unusual amounts of mail access events by untrusted IP addresses or devices.