Email Account Theft to Bypass MFA Protection
Microsoft researchers recently discovered a large-scale phishing campaign that steals users' email accounts even they have multi-factor authentication (MFA) enabled. Research shows that this type of phishing attack has been active since September 2021 and has attempted to target at least 10,000 organisations as of today.
Not difficult to understand, this technique is called Adversary-in-the-Middle (AiTM) and comes with the following attack method:
- Hackers deploy proxy servers and fake websites, and then send phishing emails to target users;
- The user believes that the fake email is legitimate, and opens the fake website or attachment;
- The user is redirected to the fake website which will request the user to enter email account and password to sign-in;
- The user enters the account password and uses MFA to pass the authentication. The proxy server established by the hacker will redirect the information entered by the user to a legitimate website page, so that the user can log in successfully;
- Meanwhile, the hacker has already intercepted the user's credentials and authentication information at the back-end. The result is that the hacker would successfully invade the user's email account unnoticed;
Once the intrusion is successful, the hacker will search the user’s mailbox for email conversations relating to payments or invoices, and then pretend to be the compromised account user to send fraudulent emails, such as asking the customer or colleagues to send money to the hacker’s bank account.
In order to keep the compromised account user from noticing any suspicious emails, the hacker will delete the fraudulent emails, and establish inbox rules to hide the reply emails of the fraudulent targets. For example, if a user’s mailbox receives an email from a fraudulent target, it will be automatically deleted or moved to the archive folder and marked as read.
Although MFA can be bypassed, it remains very effective in preventing other attack methods. It is therefore best for the users to continue applying MFA for email account security.
HKCERT recommends that users:
- Before providing login information, check the URL of the login page to ensure it is connected to the official login page
- Do not open suspicious emails or messages
- Do not open any website links or attachments in unknown emails
- Do not log in to your account through a link provided by email or an unknown website
- Check for suspicious inbox rules
- Use more advanced authentication technology, e.g., use hardware-based FIDO (Fast IDentity Online) password-free login authentication