Office Phishing Attack Bypasses Multi-Factor Authentication

Microsoft researchers and security engineers discovered a massive phishing attack that has targeted more than 10,000 organizations since September 2021.

Malicious actors used adversary-in-the-middle (AiTM) phishing sites to steal passwords and session data; this allowed them to bypass multi-factor authentication protections to access users’ email inboxes and execute follow-up attacks using business email compromise campaigns against other targets.

Phishing attacks have come a long way from their humble beginnings. In the early days, phishing campaigns were largely used to steal account passwords. While phishing attacks continue to rise, data from Zscaler’s ThreatLabz research team suggests attacks grew 29% in 2021, attacks have adapted to new protective countermeasures. In the 2021 Microsoft Digital Defense Report, Microsoft reported that it saw a doubling of phishing attacks compared to the previous year.

Multi-factor authentication, also known as two-step verification, and passwordless logins have gained popularity. Some sites have made multi-factor authentication mandatory for users, but it’s still mostly an optional security feature.

Passwords are not worth as much if accounts are protected with a second layer. Attackers who obtain an account’s password cannot access it if two-factor authentication is enabled. While it is possible to log into accounts on other sites, if the user used the same email and password combination, using multi-factor authentication makes basic phishing attacks less lucrative overall.

Threat actors had to find new attack techniques to combat the rise of multi-factor authentication and passwordless logins. Security researcher mr.dox described a new attack that allowed attackers to steal session cookies. Sites use session cookies to determine a user’s login status. Session cookie stealing allows attackers to hijack a user’s session, all without having to log into an account or complete a second verification step.

Some sites use additional protections to prevent the hijack from succeeding, but most do not.

Adversary in the middle Phishing

The phishing campaign that Microsoft security researchers analyzed also looked for account session cookies.

Image Credit: Microsoft

Adversary-in-the-Middle phishing attacks use a proxy server that is placed between a user and the website that the user wants to open. The traffic is routed through the proxy server and this gives the attacker access to data, including account passwords and session cookies.

Web services and applications use sessions to determine if a user is authenticated. Without sessions, users would have to log in every time a new page is opened on a website.

The session functionality is implemented with the help of session cookies, which are set by the authentication service after the user successfully logs in.

The Adversary-in-The-Middle attack targets a user’s session cookie, so that the entire authentication step to access the user’s account can be skipped.

Image Credit: Microsoft

The threat actor uses a proxy that sits between the user’s device and the spoofed site. Using proxies eliminates the need to create an imitation site. The only visible difference between the original site and the phishing site is the URL.

Here is the process in detail:

  1. The user enters the password on the phishing site.
  2. The phishing site sends the request to the real website.
  3. The actual website returns the multi-factor authentication screen.
  4. The phishing site sends the multi-factor authentication screen to the user.
  5. The user completes additional authentication.
  6. The phishing site sends the request to the real website.
  7. The actual website returns the session cookie.
  8. The phishing site requires the user.

Once the session cookie has been obtained, the threat actor can use it to bypass the entire authentication process, even with multi-factor authentication enabled.

Information about the large-scale Adversary-in-The-Middle phishing campaign

Microsoft engineers monitored and analyzed a large-scale phishing campaign that began in September 2021. Engineers detected “multiple iterations” of the campaign, targeting more than 10,000 organizations.

The main attack targeted Office 365 users and spoofed the Office online authentication page using proxies.

In one iteration of the phishing campaign, the attacker used emails with HTML attachments. These emails were sent to multiple recipients in an organization. In the email, the recipients were informed that they had a voice message.

Activating the included attachment would open the HTML file in the user’s default browser. The page informed the user that the voice message was being downloaded. Meanwhile, the user was redirected to a redirect site; the attacker used the redirector site to verify that the user came from “the original HTML attachment.”

One purpose of this was for the attacker to gain access to the user’s email address. The email address was filled in on the login page automatically to make it look less suspicious.

The phishing site resembled the Microsoft authentication site, with the exception of the web address. Navigated to the “organization’s Azure Active Directory sign-in page and included the organization’s branding.

Victims were redirected to the Bureau’s main website once they entered their credentials and completed the second verification step. The attacker intercepted the data, including the session cookie.

The data gave the attacker options for follow-up activities, including payment fraud. Microsoft describes payment fraud as follows:

Payment fraud is a scheme in which an attacker tricks a fraud target into transferring payments to accounts owned by the attacker. It can be achieved by hijacking and responding to ongoing finance-related email threads in the compromised account’s mailbox and enticing the fraud target to send money via fake invoices, among others.

In the observed campaign, the attackers used their access to find financial-related emails and attachments. The original phishing email that was sent to the user was removed to remove traces of the phishing attack.

Once the attackers discovered an email thread that they could hijack, they would create rules to move the emails to the archive and automatically mark them as read. The attacker would then respond to “ongoing email threads related to payments and invoices between the target and employees of other organizations,” and delete any emails from the Sent Items and Deleted folder.

How to protect users against Adversary-in-the-middle phishing

One option organizations have when it comes to protecting their employees against sophisticated phishing attacks is to implement conditional access policies that complement multi-factor authentication protections.

These policies may evaluate login requests using other signals, for example, identity-based signals, including IP information, user or group memberships, device status, and others.

The education of employees and users also plays an important role. Most phishing attacks require potential victims to become active in one way or another. Attacks may require users to click links, open attachments, or take other actions. Most attacks are unsuccessful when users remain passive and do not fall for the traps.

Additional information is available on the Microsoft Security Blog.

Now you: Have you ever been the victim of a phishing attack? Do you use specific anti-phishing protections?


Office Phishing Attack Bypasses Multi-Factor Authentication

Article name

Office Phishing Attack Bypasses Multi-Factor Authentication


Microsoft researchers and security engineers discovered a massive phishing attack that has targeted more than 10,000 organizations since September 2021.


Martin Brinkman


Tech News Ghacks



Leave a Comment