At best deals,no tail tied
THE two-factor authentication (2FA) is a security measure that should be enabled whenever possible. But even that is not able to guarantee 100% protection. According to the Microsoft, a recent phishing attack allowed access to emails from over 10,000 organizations. The use of 2FA was not able to stop this action.
By serving as an additional layer of security, two-factor authentication can make it impossible to access a service even when the attacker discovers the user’s name and password. This is possible because only the latter has access to the code that is generated at the time of login.
It works? It works. So much so that many attackers are having to get creative to increase the chances of accessing 2FA-protected accounts.
The most frequent tactics involve social engineering approaches, such as phone or SMS contacts that try to trick the target into passing on the authentication code. But the attack reported by Microsoft is much more sophisticated.
An “AiTM” type attack
Microsoft explains that the attack in question is of the aiTMacronym for Adversary-in-the-Middle. In this type of action, the attacker implements a mechanism that intercepts the communication of the victim’s device with the website or service to be accessed.
More specifically, the attack identified by the company involves a phishing website that acts as a proxy server. But how does this trap reach its targets? Through a classic trick: fake emails.
These messages can take several approaches. Microsoft has identified one consisting of a fake email that claims the user has received a voice message.
The attached file has an HTML extension, so it opens directly in the browser. When this happens, the page shows a warning that the voicemail MP3 file is being downloaded. But it’s not. In fact, the page then redirects to the proxy site. This one has a look that mimics a Microsoft login page.
The AiTM attack takes effect in the next step. If the user doesn’t see the trick and logs in, their authentication data is sent through the proxy server to the real Office.com website, so that true authentication is done. But in the background, the server captures the session cookies sent by the Microsoft service.
Session cookies allow the user to re-enter the accessed service without having to perform a new login procedure. Armed with the cookies, the attackers were able to log into the targets’ email accounts without having to go through authentication.
In many cases, two-factor authentication was enabled, but as the user entered the code on the fake page and it was forwarded to the real site, session cookies made the 2FA process no longer necessary.
The consequences were dire. Attackers accessed emails from employees of various companies to defraud payments, for example. In many cases, rules have been created in the accounts to automatically move certain messages to the trash in order to prevent the legitimate user from discovering the unauthorized access.
By Microsoft’s estimates, this phishing campaign has targeted over 10,000 organizations since September 2021.
Two-factor authentication is still important
The problem is serious, but that doesn’t mean that two-factor authentication is no longer important. On the contrary. Microsoft itself recommends that this method continue to be used in organizations, but with some reinforcements. Among them is investing in antiphishing solutions and implementing authentication via FIDO or certificate-based, for example.
Oh, of course: the old rule of being careful with attachments and links in emails still applies.