A business email compromise scheme targeting CEOs and CFOs using Microsoft Office 365 combines phishing with a man-in-the-middle attack to bypass multi-factor authentication.
These attacks take advantage of a Microsoft 365 design flaw that allows miscreants to compromise accounts with MFA enabled and achieve persistence in victims’ systems by adding a new, compromised, authentication method allowing them to come back at any time. This is according to Mitiga security researchers, who apparently spotted both the campaign and the Microsoft 365 flaw.
“Leveraging this unrestricted access, the attackers monitor the victim’s email accounts until a substantial transaction is about to happen, and then send a fraudulent email requesting a change of the destination bank account to an account in control of the attackers, effectively stealing those funds,” the incident response firm explained, adding:
First, the victim receives a phishing email that looks to be from DocuSign and even has a legitimate “docusign.net” address. Spoiler alert: it’s spoofed.
In the Mitiga investigation, researchers noted that Microsoft did flag this email as a phishing attempt, but it wasn’t blocked due to a misconfiguration in the client environment.
The phony DocuSign email includes a “Review Document” link, which directs the victim to an attacker-controlled server (this one happened to be in Singapore). After clicking on the malicious link, the exec receives a prompt to enter their Azure authentication.
This part of the attack likely uses the evilginx2 framework or a similar toolkit for 2FA phishing, the security researchers wrote, noting that Microsoft has previously warned of crooks using this man-in-the-middle technique for financial fraud.
“The victim is prompted with a genuine MFA request on their MFA device,” according to the analysis. “After approving the request, the Microsoft server returns a valid session cookie, which the adversary sniffs and can then use to assume the victim’s session, without needing to re-enter a password or approve an MFA request.”
At this point, the miscreants can start snooping around the victim’s Office 365 environment, scanning Outlook emails and SharePoint files. They’re looking for anything to indicate an upcoming transaction — messages, contracts, etc — to ultimately pull off financial fraud.
Additionally, after stealing the victim’s credentials, the malicious site redirects the victim to a fake DocuSign error page with the hope being that the victim won’t realize they fell for a phish and trigger any security mitigations.
This also means the stolen session cookie remains valid, and the attacker can establish persistence in the 365 environment.
As noted earlier, the criminals use a design flaw in 365 MFA to maintain persistence, which allows them to add a new authenticator app connected to the compromised user’s profile without the victim’s knowledge.
Mitiga said it has reached out to Microsoft, but has not yet received a response. As this is not a vulnerability, there was no need to do a preliminary disclosure.
The issue exists because once a session has been authorized via MFA, Microsoft does not require a new MFA challenge for the duration of the MFA token.
So, for the duration of the token, a user (or attacker, in this case) can access and change the user authentication methods in the Security Info section of the account profile, and add an authenticator app that is under their own control without triggering a new MFA challenge.
“This means that once an account has been compromised, even for an extremely short period of time, it is possible to create persistency using this technique, so an attacker can then re-authenticate with MFA when the session expires or is revoked,” the researchers said.
“It is important to note that even if an organization puts a strict MFA expiration time of one day, it will still not prevent creating for the attacker with this technique.”
Microsoft did not respond to The Register‘s request for comment about the Mitiga research and the 365 vulnerability. ®