Microsoft has detected a new phishing attack that can bypass multi-factor authentication: What it is, how it works
Phishing attacks have become relatively common in the past decade. While they deploy sophisticated technique for gaining access to users’ data, a lot of times these attacks can be prevented simply using basic security measures such as not clicking on links from unknown sources and enabling multi-factor authentication. But now, a new kind of phishing attack is targeting users and organisations globally. What sets this phishing attack apart from other techniques that you mush have read about is its ability to bypass multi-factor authentication (MFA).
The phishing attack dubbed as adversary-in-the-middle (AiTM) phishing is a part of a large-scale phishing campaign and it has attempted to target more than 10,000 organisations across the globe since September 2021.
Microsoft, in its blog post detailing this cyber attack said that malicious actors are using this phishing attack to steal passwords, hijack users’ sign-in sessions, and skip the authentication process even if users had enabled multifactor authentication (MFA). “The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets,” the company wrote in a post.
Before we get into the details of the AiTM phishing attack and how it is bypassing MFA, let’s first understand what MFA is and how it enhances security of users’ digital profiles.
What is multi-factor authentication and how is it useful?
Multi-factor authentication is an authentication mechanism that requires users to provide two or more mean to authenticate themselves in a bid to gain access to a profile or a digital account. Users can use a combination of a physical USB key, a biometric sigh and a password or a PIN for the same.
Multi-factor authentication makes it difficult for hackers to gain access to users’ accounts by incorporating a variety of security layers that make it difficult for hackers to break through.
What is AiTM phishing and how does it work?
Microsoft in its blog post explained that in AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit. In doing so, the attackers are able to steal and intercept the targeted user’s password and the session cookie that proves their ongoing and authenticated session with the website.
“Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses,” Microsoft wrote in the blog post.
Modern websites use a sessions cookie to authenticate a user every time they visit a site after the first time they have authenticated themselves. This session cookie acts as a proof for the web server that the user has been successfully authenticated and has an ongoing session on the website.
Now, in case of the AiTM phishing, hackers try to get hold of this session cookie. In doing so, they are able to hijack and bypass the entire authentication process and act on the user’s behalf.
Here’s how that happens: The attacker deploys a webserver that mimics the HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around. This way, the phishing site is looks identical to the original website. “The URL is the only visible difference between the phishing site and the actual one,” Microsoft explained.
The phishing page has two different sessions — one with the target and the other with the actual website the user wants to visit. These sessions enable the hackers to steal the entire authentication process and extract valuable data from the HTTP requests such as passwords and session cookies. Once the attacker obtains the session cookie, they can use it in their browsers to skip the authentication process and get users’ personal information.
How can I safeguard myself against AiTM phishing attack?
Microsoft recommends investing in advanced phishing solutions and enabling conditional access policies for safeguarding themselves from such attacks. Conditional access policies at their core are if-then statements. So, if a user wants to access a resource, then they must complete an action or meet a pre-cursor condition, which an attacker cannot know, which in turn makes users’ digital accounts safer.
The post Microsoft has detected a new phishing attack that can bypass multi-factor authentication: What it is, how it works appeared first on BGR India.
