Over 10,000 organizations were targeted in a large-scale phishing campaign since September 2021. According to Microsoft, the attackers have been hijacking Office 365's authentication process. Even users who enabled a multi-factor authentication (MFA) on their accounts fell victims of this campaign.
Once the threat actors got the access to users’ credentials and session cookies, they used this data to hijack victims’ mailboxes and perform business email compromise (BEC) attacks against other targets.
The threat actors set up phishing sites for adversary-in-the-middle (AitM) attacks. This kind of malicious activity involves deploying a proxy server between a victim and the website in order to intercept communications. Thus, recipients of a phishing emails were redirected to fake login pages which impersonated legitimate ones. All information that victims provided on these pages, including credentials and MFA, was sent to the attackers.
Microsoft’s researchers pointed out that this is not a vulnerability in MFA. AiTM attack allows the threat actor to steal the session cookie, so he “gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.”
In this campaign, the hackers singled out Office 365 users by spoofing the Office online authentication page. Then using the Evilginx2 phishing kit, they carried out the AitM attacks.