A recent report from Microsoft, confirmed a phishing campaign turned BEC attack targeted more than 10,000 organizations and slipped past Microsoft email security. Attackers used AiTM phishing site to steal passwords, user’s sign-in credentials, and skipped the authentication process even for users that had MFA enabled.
Unlike conventional wisdom, Multi-Factor Authentication (MFA) is not sufficient to block targeted, sophisticated phishing attacks. A recently published report from Microsoft confirmed that over 10,000 organizations were compromised, irrespective of having deployed a MFA solution. So how did these attackers do it? By being the man-in-the-middle, and using the age old trick of stealing cookies (instead of credentials).
How did this attack propagate?
The malicious phishing sites used in this campaign worked as reverse proxies and were hosted on web servers designed to proxy the targets' authentication requests to the legitimate website they were trying to sign-in to via two separate Transport Layer Security (TLS) sessions.
Using this tactic, the attackers' phishing page acted as a man-in-the-middle agent that intercepted the authentication process to extract sensitive information from hijacked HTTP requests, including passwords and even more importantly, session cookies.
After the attackers got their hands on the targets' session cookies, they injected it into their own web browser. This allowed attackers to skip the authentication process, even if the victims' had MFA enabled on the compromised accounts.
How can you prevent these man-in-the-middle attacks?
This type of attack can only be prevented if you apply big data and ML models to detect sessions that are authenticated using stolen cookies. Access can then be curated based on user and entity behavior analytics (which will be different from those used by malicious actors with stolen cookies). Any unusual actions, like changing mailbox rules, could be identified using ML models trained on individual, user behaviors.
Guidance and Recommendations
1. Follow MFA and password management best practices
Yes, you should still deploy multi-factor authentication! Deploy MFA on business and personal accounts where possible and do not use the same password on multiple sites and/or accounts.
2. Augment native email security with additional controls
Remember, this attack on all 10,000 organizations slipped past Microsoft email security. For better protection against email attacks (whether they’re spear phishing, business email compromise or credential (cookie) phishing attacks like this one), organizations should augment built-in email security with layers, like Armorblox, that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 and is a good starting point for evaluation.
3. Enhance employee training and awareness
Teach employees to look for visible warning signs – poorly written emails, wrong signature lines and incorrect email addresses. If employees are trained not to click on phishing emails it will significantly reduce problems that occur downstream.