Phishing Attack Bypassed Office 365 Multifactor ProtectionsResearchers: Campaign Designed to Steal Users' Credentials, Launch Other Attacks
A recent phishing campaign bypassed multifactor authentication protections within Microsoft Office 365 to steal users' credentials stored in the cloud or launch other attacks, according to the security firm Cofense.
Unlike a typical phishing attack that attempts to harvest credentials by having a user input their username and password into a malicious domain designed to look like a Microsoft application, this campaign attempted to trick the victim into granting permission for a rogue application to run on their device, Cofense says in a new report. This helped bypass the multifactor authentication process.
This phishing campaign leveraged the OAuth2 framework and the OpenID Connect protocol, which help authenticate users of Office 365, along with a malicious SharePoint link designed to trick a victim into granting permission to a rogue application that the hackers control, according to Cofense.
"The phish is not a typical credential harvester, and even if it was, multifactor authentication wouldn’t have helped," Elmer Hernandez, a researcher with Cofense, notes in the report. "Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it's a stark reminder that phishing isn’t going to be solved by multifactor authentication."
In addition to potentially exposing users' documents and files stored in the cloud, the fraudsters waging the phishing campaign could gain access to victims' contact lists, creating potential new targets, according to the report.
Hernandez tells Information Security Media Group that the tactics used in this phishing campaign were first spotted at the end of 2019, but it's not clear if the campaign is still active.
The phishing attack started with an email that contains a malicious link that’s designed to look like a SharePoint file, according to the report. The message in the email noted that the file relates to bonuses for the quarter - an effective lure to get a victim to click.
If a targeted victim clicked the link, they were taken to the legitimate Microsoft Office 365 login page. But the URL had been subtly changed by the attackers to manipulate the authentication process.
To log in to Office 365, a user typically needs permission from the Microsoft Graph authentication process and a security token from the Microsoft Identity Platform. This is where the OAuth 2.0 framework, which grants a user limited access to their resources from one site to another, and the OpenID Connect protocol, which helps devices verify a user, came into play in the scam. These are designed to allow a user to log in without exposing credentials, according to the report.
The altered URL contained parameters that captured the security tokens and other authentication data and then sent that information back to the attackers. In one example, Cofense found a "redirect" parameter in the URL that sent authentication data to a domain hosted in Bulgaria.
Another parameter could capture a list of all the user's permissions. The researchers also note that a different parameter could ask for a new security token when an older one expired.
Once all these parameters had been filled in with credentials and permissions, the victim was asked to log in one more time. That granted the rogue application the same permissions as a legitimate app. From there, the rogue app could begin harvesting data from the Office 365 files or the contact list, according to the report.
Because many end users don't examine the full URL of applications, these types of attacks are difficult to spot, Cofense notes.
"In this case however, once permissions are granted, the attackers are in - regardless of credentials - and the user will find it more difficult to realize it," Hernandez tells ISMG.
This phishing campaign shows that attackers are looking for new ways to bypass multifactor authentication.
"Not only is there no need to compromise credentials, but touted security measures, such as [multifactor authentication] are also bypassed; it is users themselves who unwittingly approve malicious access to their data," according to Cofense. Hernandez does note, however, that this should not discourage companies from using two- or multifactor authentication as it does provide greater security protection.
Other phishing campaigns are targeting the authentication processes of Microsoft applications as well.
Earlier this month, researchers at Abnormal Security uncovered a phishing campaign that spoofed Teams notifications to harvest Office 365 credentials from employees working from home offices due to COVID-19 pandemic (see: Latest Phishing Campaign Spoofs Microsoft Teams Messages)