Jump to content

New Phishing Attack Can Bypass Multi-Factor Authentication

Another security alert has emerged recently, highlighting how the bad guys are constantly innovating to stay ahead of us and put our organisations at risk. Our Information Security Manager, Greg Nott, has addressed the latest security trends surrounding phishing attacks and how you can stay one step ahead of cybercriminals.

New Phishing Attack Can Bypass Multi-Factor Authentication

This month Microsoft reported a new variant of phishing attack that is able to bypass most Multi-factor Authentication (MFA) methods.

Phishing attacks are the most common threat that currently faces our organisations, 83% of businesses who had reported an attack in the last year were threatened by phishing attacks. However, the latest threat has become even more calculated and more difficult to identify. Read our latest blog to find out how you can avoid the risks of these attacks.

So, what's happening?

The way that these criminals are exploiting new threats is unfamiliar with phishing attacks we've seen before.

Rather than directing victims to a hoax web page to obtain their details, this innovative procedure acts as an agent in relaying the information from the victim to the genuine web page and then sending the responses back to the victim. This includes any multi-factor authentication (MFA) request windows from the genuine site and handling the successful authentication from the victim.

Once confirmed, the genuine site passes an authenticated 'session cookie' to the victim, which is intercepted by the attacker.

A session cookie is what is used by your web browser to keep your connection to a site alive and save you from having to re-authenticate yourself on every different page. The session cookie is used by the attacker to connect to the genuine site, posing as your fully-authenticated self.

Similar to a 'Man in The Middle' (MiTM) attack, this is referred to as an 'Adversary in The Middle' (AiTM) attack.

Microsoft's overview of AiTM phishing campaign and follow-on BEC
Figure 1. Microsoft's overview of AiTM phishing campaign and follow-on BEC

What have Microsoft said?

Microsoft has observed these attacks on over 10,000 organisations since September last year, targeting users' 365 and or Outlook.com email accounts.

Once they had gained access to mailboxes the attackers followed up with Business Email Compromise (BEC) attacks, where they can target senior people or budget holders and trick them into transferring funds or revealing sensitive information.

The use of MFA solutions that are compatible with the FIDO2 standard can be used to prevent this kind of attack as they would recognise that there was an 'Adversary in The Middle' but these solutions are often impractical, costly and not compatible with all services or systems.

You can read more here.

What do Circle advise?

Here at Circle we strongly agree with Microsoft that "MFA is still very effective at stopping a wide variety of threats" but this latest innovation by the attackers underscores the importance of a layered approach to security.

Any single method that you use on their own to try and prevent attacks like this can be overcome. Even combinations of controls can be overcome by a determined attacker.

In security, we work on the assumption that a successful attack is inevitable. By layering as many controls as possible to the systems we use we greatly reduce the possibility- and therefore number - of successful attacks and take action to reduce the impact of a successful attack.

These act like a filter. The more layers you have, the better the end product.

Here is an example of how that layered / filter approach can work against phishing attacks, demonstrating how each layer can be just as important as the others:

Phishing funnel
Figure 2. Circle's phishing procedure funnel 2022

Right now the quickest, most effective, course of action to combat phishing attacks is to raise awareness to your end-users – make sure they know how to assess emails before clicking or opening anything and, importantly, what to do in the event that they do get caught out. Click here to download our cyber security brochure where you can find out how to successfully secure each layer of your security posture!

Your transformation starts here.