Businesses should be going into ‘panic mode’ due to serious exploit that enables ‘phishers’ and ‘hackers’ to effectively bypass 2FA (Two Factor Authentication)

We were alerted to a client last week who had their e-mail account compromised. This is usually a regular occurance and is often picked up by our internet security platform. However this time the attempt was super clever. 

We were alerted to the issue by built in detection within Office 365, so we were able to identify and shut down the account access within less than an hour. 

We could see through our audit logs, that the malicous attacker had indeed accessed the account. One question that we kept asking ourselves, is how did this login attempt bypass the users 2FA (Multi Factor Authentication). 

It turns out that although recommended for security the 2FA was vulnerable to a certain style of attack, the attacker inserted a proxy site between the users and the work server they attempted to log into.

When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real server’s response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesn’t need to be reauthenticated at every new page visited.

This meant that the malicious user was authenticated and trusted just as if they were using a domain joined machine. 

In this particular hack, the malicous user then attempted to send over 500+ emails in a bid to replicate itself, followed by the clever bit, making files and folders publicly accessible, and setting up and configuring e-mail rules to divert new mail into a hidden folder. 

The hidden folder then remains accessible to the hacker, and over time they would pick up the e-mails and use them to bribe the company that had been attacked. 

In this case, we were able to go through the audit logs with a fine tooth comb and reverse any changes made to permissions and files. we were able to delete these malicous mail rules. 

The affected user then had their password and 2FA reset to boot out any malicous user still using trusted cookies. 

How is it possible to ensure that this sort of attack doesn’t happen within my organisation?

Here’s what you need to know to keep your accounts safe:

  1. Be cautious of unsolicited emails or messages: Phishing attacks usually start with an unexpected email or message, pretending to be from a trustworthy source, asking you to click on a link or share personal information. Always verify the source of any email or message that raises suspicion before clicking on any links or sharing any information.

  2. Watch for warning signs: Phishing emails and messages often contain typos, grammatical errors, mismatched logos, and other inconsistencies. Keep an eye out for these warning signs and avoid engaging with any communication that seems suspicious.

  3. Exercise caution with links: Before clicking on any links from unknown sources, hover over them to see where they lead. If the link seems questionable, do not click it. If you must click on a link, only do so from a trusted source, such as a legitimate website.

  4. Keep your security measures up-to-date: Regularly update your software, including your operating system and web browser, to stay ahead of new threats. Additionally, use strong, unique passwords and enable two-factor authentication wherever possible.

By following these simple tips, you can help ensure that your MFA-secured accounts stay protected from phishing attacks. However what happens if a malicious link is clicked, and a user authenticates the attacker?

 1. By far the best option is to train your users not to click these types of link but mistakes do happen. 

2. Make sure you invest in phishing protection software, such as Windows Defender & other platforms such as Webroot etc. 

3. Implement conditional access, this feature ensures that only authorised devices can connect into Office 365. They must sign in from an approved device and general web access is disabled. 

We can help!

If you have been affected by a phishing scam, or you are worried about your company data and how to protect it, drop us an e-mail, or give us a call. 0330 321 6284 / hello@sysflex.co.uk