Office Phishing Attack Bypasses Multi-Factor Authentication

Microsoft security researchers and engineers discovered a massive phishing attack targeting more than 10,000 organizations since September 2021.

The malicious actors used adversary-in-the-middle (AiTM) phishing sites to steal passwords and session data; this allowed them to bypass multi-factor authentication protections to access user email inboxes and conduct follow-up attacks using corporate email campaigns against other targets.

Phishing attacks have come a long way since their humble beginnings. In the past, phishing campaigns were largely used to steal account passwords. While the number of phishing attacks continues to increase, data from Zscaler’s ThreatLabz research team shows that the number of attacks grew by 29% in 2021. The attacks have adapted to new protective countermeasures. In the 2021 Microsoft Digital Defense Report, Microsoft reported seeing a doubling in phishing attacks compared to the previous year.

Multi-factor authentication, also known as two-step verification, and passwordless login have grown in popularity. Some sites have made multi-factor authentication mandatory for users, but it’s still mostly an optional security feature.

Passwords aren’t worth that much if accounts are secured with a second layer. Attackers who get their hands on an account password will not be able to access it if two-factor authentication is enabled. While it is possible to access accounts on other sites, using multi-factor authentication generally makes basic phishing attacks less lucrative if the user uses the same email and password combination.

Threat actors had to find new attack techniques to counter the rise of multi-factor authentication and passwordless logins. Security researcher mr.dox described a new attack that allowed attackers to steal session cookies. Session cookies are used by sites to determine a user’s login status. By stealing session cookies, attackers can hijack the user’s session, all without logging into an account or completing a second verification step.

Some sites use extra safeguards to prevent the hijacking from being successful, but most do not.

Opponent-in-the-middle Phishing

The phishing campaign that Microsoft security researchers analyzed were also after account session cookies.

image credit: Microsoft

Adversary-in-the-middle phishing attacks use a proxy server placed between a user and the website the user wants to access. Traffic is routed through the proxy server and this gives the attacker access to data, including account passwords and session cookies.

Web services and applications use sessions to determine whether a user has been authenticated. Without sessions, users would have to log in every time a new page is opened on a website.

Session functionality is implemented using session cookies, which the authentication service sets upon successful user login.

The Adversary-in-The-Middle attack targets a user’s session cookie so that the entire authentication step can be skipped to access the user’s account.

image credit: Microsoft

The threat actor uses a proxy that resides between the user’s device and the impersonated site. Using proxies eliminates the need to create a copycat site. The only visible difference between the original site and the phishing site is the URL.

Here is the process in detail:

  1. The user enters the password on the phishing site.
  2. The phishing site sends the request to the actual website.
  3. The actual website returns the multi-factor authentication screen.
  4. The phishing site sends the multi-factor authentication screen to the user.
  5. The user completes the additional authentication.
  6. The phishing site sends the request to the actual website.
  7. The actual website returns the session cookie.
  8. The phishing site asks the user.

Once the session cookie is obtained, the threat actor can use it to skip the entire authentication process, even if multi-factor authentication is enabled.

Information about the large-scale Adversary-in-The-Middle phishing campaign

Microsoft engineers tracked and analyzed a large-scale phishing campaign that began in September 2021. Engineers discovered “multiple iterations” of the campaign, which targeted more than 10,000 organizations.

The main attack targeted Office 365 users and spoofed Office’s online authentication page using proxies.

In one iteration of the phishing campaign, the attacker used emails with HTML file attachments. These emails were sent to multiple recipients of an organization. In the email, the recipients were informed that they had a voice message.

Activating the attached attachment would open the HTML file in the user’s default browser. The page informed the user that the voice message was being downloaded. In the meantime, the user was redirected to a redirect site; the attacker used the redirect site to verify that the user was “from the original HTML attachment”.

One of the purposes of this was for the attacker to gain access to the user’s email address. The email address is auto-populated on the signup page to make it look less suspicious.

The phishing site was similar to Microsoft’s authentication site, except for the web address. It proxed the organization’s Azure Active Directory login page and contained the organization’s branding.

Victims were redirected to the main office website once they entered their credentials and completed the second verification step. The attacker intercepted the data, including the session cookie.

The data gave the attacker options for follow-up activities, including payment fraud. Microsoft describes payment fraud in the following way:

Payment fraud is a system in which an attacker deceives a fraud target into transferring payments to accounts owned by the attacker. This can be accomplished by, among other things, hijacking and replying to ongoing financial email threads in the compromised account’s mailbox and tricking the fraud target into sending money through fake invoices.

In the observed campaign, the attackers used their access to find financial emails and file attachments. The original phishing email sent to the user has been deleted to remove traces of the phishing attack.

Once the attackers discovered an email thread that they could hijack, they would create rules to move the emails to the archive and automatically mark them as read. The attacker would then respond to “ongoing email threads related to payments and invoices between the target and employees of other organizations”, deleting all emails from sent items and the deleted folder.

How to Protect Users from Adversary-in-The-Middle Phishing

One option organizations have when it comes to protecting their employees from sophisticated phishing attacks is to implement Conditional Access policies that complement multi-factor authentication security.

This policy may evaluate login requests using other signals, for example, identity-driven signals, including IP information, user or group memberships, device status, and others.

The education of employees and users also plays an important role. Most phishing attacks require potential victims to become active in some way. Attacks may require users to click links, open attachments, or perform other actions. Most attacks are unsuccessful if the user remains passive and does not fall into the trap.

Additional information is available on Microsoft’s security blog.

Now you: Have you ever been the victim of a phishing attack? Do you use specific anti-phishing protections?


Article name

Office Phishing Attack Bypasses Multi-Factor Authentication


Microsoft security researchers and engineers discovered a massive phishing attack targeting more than 10,000 organizations since September 2021.


Martin Brinkmann


News about Ghacks Technology