Microsoft has detected a new phishing attack that can bypass multi-factor authentication: what it is, how it works


Phishing attacks have become relatively common over the past decade. While they deploy sophisticated technology to gain access to users’ data, many times these attacks can be prevented by using only basic security measures such as not clicking on links from unknown sources and multi-factor authentication. enable. But now, a new type of phishing attack is targeting users and organizations globally. What sets this phishing attack apart from other techniques you may have read about is its ability to bypass multi-factor authentication (MFA).

The phishing attack dubbed as advisory-in-the-middle (AiTM) phishing is a part of a larger-scale phishing campaign and has attempted to target more than 10,000 organizations worldwide since September 2021 Is.

Microsoft, detailing the cyberattack in its blog post, said that malicious actors are using this phishing attack to steal passwords, hijack users’ sign-in sessions, and bypass the authentication process, even though users have Multifactor authentication (MFA) has been enabled. “The attackers used the stolen credentials and session cookies to access the mailboxes of affected users and run follow-on business email compromise (BEC) campaigns against other targets,” the company wrote in a post.

Before we get into the details of AITM phishing attack and how it is bypassing MFA, let us first understand what is MFA and how it enhances the security of users’ digital profiles.

What is multi-factor authentication and how is it useful?

Multi-factor authentication is an authentication mechanism that requires users to provide two or more means to authenticate themselves in order to gain access to a profile or digital account. Users can use a combination of physical USB key, biometric AHA and password or PIN.

Multi-factor authentication makes it difficult for hackers to gain access to users’ accounts by incorporating various security layers that make it difficult for hackers to break into.

What is AITM Phishing and how does it work?

Microsoft explained in its blog post that in AITM phishing, attackers deploy a proxy server between the target user and the website the user wants to visit. In doing so, attackers are able to steal and intercept the target user’s password and session cookie which proves their ongoing and authenticated session with the website.

“Note that this is not a vulnerability in the MFA; since AITM steals the phishing session cookie, the attacker authenticates to the session on behalf of the user, regardless of the subsequent sign-in method used,” Microsoft wrote in blog post.


Image: Microsoft

Modern websites use session cookies to authenticate a user every time they visit a site after authenticating themselves for the first time. This session cookie acts as a proof to the web server that the user has been successfully authenticated and is running a session on the website.

Now, in case of AITM phishing, hackers try to capture this session cookie. In doing so, they are able to hijack and bypass the entire authentication process and act on behalf of the user.

Here’s how it happens: The attacker deploys a webserver that mimics HTTP packets from a user visiting a phishing site, allowing the attacker to impersonate and the other way around. In this way, the phishing site looks very similar to the original website. “The URL is the only visible difference between a phishing site and the actual site,” Microsoft explained.

A phishing page consists of two separate sessions – one with the target and the other with the actual website the user wants to visit. These sessions enable hackers to steal the entire authentication process and extract valuable data such as passwords and session cookies from HTTP requests. Once an attacker obtains a session cookie, they can then use it in their browser to bypass the authentication process and obtain users’ personal information.

How can I protect myself from AITM phishing attack?

Microsoft recommends investing in advanced phishing solutions and enabling conditional access policies to protect yourself from such attacks. At their core, conditional access policies are if-then statements. Therefore, if a user wants to access a resource, he must perform an action or meet a pre-cursor condition that an attacker cannot know, which in turn makes users’ digital accounts secure.

The post Microsoft has detected a new phishing attack that can bypass multi-factor authentication: what it is, how it works first appeared on BGR India.

Read full article here

Leave a Reply