Phishing attacks now target MFA enabled MS365 accounts

A massive phishing campaign has been targeting Microsoft 365 users and successfully bypassing multi-factor authentication (MFA) set up to protect the accounts, as analyzed by Microsoft in their blog.

There are ways to bypass MFA, and attackers are trying them all: rogue apps, vulnerabilities, legacy authentication protocols, spamming a target user with MFA prompts, and others. The attackers use proxy servers and phishing websites to steal users' password and session cookie. These techniques are sometimes called Adversary-in-the-Middle (AitM) attacks.

The final goal is to gain full access to the victim's mailbox, search for finance-related emails and hijack ongoing email threads to commit payment fraud and mount business email compromise (BEC) campaigns against other targets.

Evolving phishing campaigns bypassing MFA are a recent development and it shows how financial motivation leads to innovations in attackers' arsenals. Organizations must rapidly make their MFA implementation “phish-resistant” by using solutions that rely more on certificate-based authentication (but without the PKI hassle) i.e. support Fast ID Online (FIDO) v2.0. Also, it's important to continually assess the organization's capacity to withstand social engineering and phishing attacks via security awareness training (SAT) initiatives. Good news is that SAT can be automated and made a continuous part of employee's enablement journey.

Read more Help Net Security