and hackers have developed ways to bypass multi-factor authentication (MFA) on cloud productivity services like Microsoft 365 (formerly Office 365).
A BEC attack recently analyzed by cloud incident response company Mitiga used an adversary-in-the-middle (AitM) phishing attack to bypass Microsoft Office 365 MFA and gain access to a business executive’s account and then managed to add a second authenticator device to the account for persistent access. According to the researchers, the campaign they analyzed is widespread and targets large transactions of up to several million dollars each.
Initial access for the BEC attack
The attack started with a well-crafted phishing email masquerading as a notification from DocuSign, a widely used cloud-based electronic document signing service. The email was crafted to the targeted business executive, suggesting that attackers have done reconnaissance work. The link in the phishing email led to an attacker-controlled website which then redirects to a Microsoft 365 single sign-on login page.
This fake login page uses an AitM technique, where the attackers run a reverse proxy to authentication requests back and forth between the victim and the real Microsoft 365 website. The victim has the same experience as they would have on the real Microsoft login page, complete with the legitimate MFA request that they must complete using their authenticator app. Once the authentication process is completed successfully,…
