Microsoft reveals on-going Phishing scam which can beat MFA

Microsoft has revealed a large-scale phishing scam that has targeted at least 10,000 organisations since September last year. The ongoing campaign, which can hack into user accounts even when they are protected by multi-factor authentication (MFA) measures, begins with a phishing email with an HTML attachment leading to the proxy server.

Multi-factor authentication or two-factor authentication (2FA) requires the account user to prove their identity with either a physical security key, a fingerprint, or face or retina scan as well as their password.

A blog post by members of the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Centre said: "From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com). In multiple cases, the cookies had an MFA claim, which means that even if the organisation had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account."

According to Microsoft the scam, which inserts an attacker-controlled proxy site between the account users and the work server they are attempting to log into, meant that when users entered their password into the proxy site, the attackers were able to steal the session cookie so that users didn’t need to be reauthenticated at every new page they visited.

This allowed attackers to access employee email accounts and search for messages to use in business email compromise scams, resulting in tricking targets into sending large sums of money to accounts they believed belonged to co-workers or business partners.

Reports stated that, on one occasion, multiple fraud attempts were conducted simultaneously from one compromised mail account, with the attacker including the organisation domains of each new target they found.

Such scams can be easy for employees to fall for, as the emails can be difficult to spot among the large volume of other emails people receive.

Contact us

hSo ISO 9001 Seal
hSo ISO 14001 Seal
hSo ISO 20000 Seal
hSo ISO 27001 Seal
Cyber Essentials logo
Internet Service Providers Association logo
Internet Telephony Service Providers Association logo
LINX logo
RIPE logo
AWS Partner Network logo
Microsoft Partner logo
Crown Commercial Service supplier logo