Cofence Phishing Defence Center have discovered yet the latest of cybercriminals’ tricks: a phishing campaign that bypasses MFA. Different from other credential harvesting attacks, the scam attempts to trick users into granting permissions to an application that then proceeds to bypass multifactor authentication.
Leveraging the OAuth2 framework and OpenID Connect protocol, this campaign’s main goal is to steal user information to be used as leverage to extort a Bitcoin ransom.
Here’s cybersecurity experts’ advice and insight on this sophisticated scam:
Daniel Conrad, field strategist at One Identity
This is a very well-crafted phish as it “front ends” O365 with a malicious SharePoint site. When the user authenticates to O365 it grants this site access to the users data. It goes beyond the simple gaining of a user’s password and possibly moving laterally or elevating privilege. From an attacker’s perspective, this type of effort would be used for specific targets (aka “whaling”), where they would attempt to get specific account information from specific, high-level users. It’s a bit like a man-in-the-middle but for O365. Once authenticated, they would have access to anything stored on the O365 platform such as corporate email, contacts, OneDrive, etc., which they can take and hold for ransom or use maliciously.
As organisations train users on phishing and who is after their identities, attackers are learning as well. This attack underlines the importance of separating privileged credentials from standard user credentials. Any account with elevated permissions should not be “phishable”.
Tarik Saleh, senior security engineer and malware researcher at DomainTools
This kind of attack is definitely concerning, but not surprising. Cybercriminals are constantly looking for new and inventive ways to get around the increasingly complex defences deployed by enterprises, and by moderating a traditional phishing scam – hugely successful in their own right – to bypass multi-factor authentication, they have provided themselves with a template for cybercrime success.
The advice for organizations and employees is to remain vigilant to this new kind of threat, and to deploy training as regularly as possible to make sure individuals remain aware. Phishing is at its core an attack on people, and people remain the best defence against it, in addition to ensuring proper processes remain in place.
Jamie Akhtar, CEO and Co-Founder of CyberSmart
These scams are getting increasingly sophisticated in the ways that they masquerade as legitimate sources and while anti-phishing software can help stop many of them, others will always get through. The greatest defence when it comes to phishing threats is educating yourself and your employees on how to spot the signs of an attack.
People need to be on the lookout for spelling and grammatical errors, overpromising and eager messaging, pop-ups and urgent deadlines or calls to action. They should also look carefully at who the email is from. Phishing attempts often use the name of someone they know (a colleague or friend, for example) but with the wrong domain address. If the email contains a link, you should verify its SSL credentials and never give out personal information on a site that does not have a valid SSL certificate. If an employee or business realises they have been breached, they should immediately take action by changing their personal password and alerting employees in the rest of the company.
One of the aspects of phishing that makes it so tricky to defend against is that attackers are constantly adapting the tactics they are using to lure people in. Taking time to educate yourself and others on a regular basis on current phishing threats, is an important part of avoiding these attacks.
David Kennefick, product architect at edgescan
This is an advanced attack and some nice thinking outside the box from an attacker perspective.
So many organisation are reliant on supporting SSO solutions because of the simplicity. This attack vector is feeding off that. The reality is we are moving into a world where there are people who have known nothing other than SSO.
They use FB, Google and other technologies to manage all of their social, and from a work perspective the reply on corporate controls such as O365, Okta, Duo etc to handle all of the authentication in their working lives, all utilising technologies such as OAuth & SAML.
The main way to address this is to provide awareness to the folks who have accounts with permission that will allow this type of authorisation to happen. Stick with the minimum privileges rule and that will help, require double sign-off of hyper sensitive assets and their access. Train people that this is an attack vector and teach them how this will be used against them.