Multi-Factor Authentication (MFA) is one of the most frequently recommended best practices for securing data and applications, designed to prevent even cybercriminals who have compromised user credentials in hand from successfully accessing corporate or personal IT resources. A survey of 1200 IT managers from early 2022 found that 57% had deployed MFA in their companies, and the majority of those who hadn’t yet done so, had plans to deploy it.
Microsoft claims that MFA can stop 99.9% of account compromise attacks. Unfortunately, however, MFA can be defeated, and with adoption of MFA growing, hackers are getting better at figuring out ways around this important line of defense.
Phishing and Stolen Cookies
Instead of trying to defeat MFA, cybercriminals are crafting clever phishing attacks that allow them to ride along on users’ valid authentication through aptly named Adversary-in-the-Middle (AiTM) sessions.
In this kind of attack, a hacker situates a reverse proxy between a user and a legitimate website the user commonly visits, such as a web email account. The hackers send a cleverly engineered phishing email to the targeted user, inviting them to click a link to log onto their “account”. When the user logs onto the website via the reverse proxy, it passes their credentials directly to the legitimate site. That site returns an MFA screen, and the user completes an MFA process that seems completely normal, which results in the user being logged onto their regular email account. What they most likely do not realize is that the hacker has intercepted their logon credentials, including the session cookies that allow them to get future access to the victim’s email.
As the process is based on a reverse proxy, hackers needn’t worry about creating a fake website since they leverage the original website directly. The only difference is in the URL, which very few users will notice.
For the attackers, the gold ring at the end of this process is the session cookie, which is extracted from the HTTP requests. MFA implementations rely on session cookies to spare users from having to reauthenticate every time they go to a different page on the site.
In this scenario, once the user is logged in, the legitimate website works just as it always does, despite the reverse proxy (and hacker) located between user and site. And once the hacker has that session cookie, they can inject it into their browsers to remain authenticated and function as if they were the user.
Email Access as a Tool for Deception
Unless espionage is a hacker’s goal, email access alone is not necessarily hugely valuable. The value resides in all the additional things a hacker can do with that email access.
Microsoft’s Threat Intelligence Center recently issued a report describing how attackers used AiTM phishing websites as a key tool for conducting financial fraud against third parties.
The attack they described targeted Office 365 users. The phishing email delivered a voice mail message and noted that it would be deleted in 24 hours, creating sufficient urgency to convince many recipients to log into their Office 365 accounts.
Once the attackers had piggybacked on the user login to gain email access, they sought out emails related to financial matters. Based on the content, in a classic BEC-style scam, they issued emails from the target’s account to companies the target previously worked with, containing fake invoices and requests for payment to the hacker’s accounts.
The attackers were ready to jump once they acquired email access; Microsoft reported that some attacks on third parties were launched within five minutes of when the cybercriminals secured access to the email account, although the process of accessing additional emails and identifying targets continued, in some instances, for days. They also took steps to cover their tracks by, for example, creating a rule that automatically archived replies to their BEC emails and marked them as “read” to keep targets from noticing unexpected activity. Once the scam was complete and funds received, they deleted related emails from archives and “sent” mailboxes of the person whose email they hijacked.
At least one attacker conducted multiple simultaneous fraud attempts from a compromised mailbox.
Microsoft threat data showed that over 10,000 organizations had been targeted by the AiTM phishing campaign in the past year.
Defending Against AiTM Attacks
This innovative attack demonstrates — yet again! — the importance of a multi-layered Zero Trust cybersecurity approach. As effective new lines of defense such as MFA become widely used, cybercriminals focus on ways to defeat them. And more often than not, they succeed. The upshot is that no single technology or technique is a panacea that can safeguard against all cybersecurity risks.
One tool that can help stop these kinds of attacks is the isolation based ZTEdge secure web gateway (SWG). With ZTEdge, web applications, SaaS applications and productivity platforms like Microsoft Teams are rendered in an isolated, secure cloud environment, enabling granular access policies to be strictly enforced. For instance, logins to corporate web apps may be restricted to users accessing the app from customer-specific IP addresses allocated by ZTEdge on its global cloud infrastructure. In the case described above, an AiTM attacks against a commonly used SaaS application like Offce365 would fail if the user attempts to connect from any other IP address.
As the cyberthreat landscape continues to evolve, it’s important to have protection not just against the threats we’re aware of today, but against the constant stream of innovative threats that cyberthieves dream up. A comprehensive Zero Trust-based preventative approach to cybersecurity such as that offered by ZTEdge, is the best way to avoid becoming a victim of cybercrime.