Novel phishing campaign highlights need for MFA, says Microsoft

Microsoft details a new multi-stage phishing campaign that only affects victims without multifactor authentication in place

A recently discovered multi-stage, large-scale phishing campaign first observed in APAC employs a novel technique that is only successful against organisations that do not have multifactor authentication (MFA) in place, according to Microsoft’s security team.

In a newly published disclosure, Microsoft revealed how the campaign targeted victims in Australia, Indonesia, Singapore and Thailand, first through the fairly standard practice of stealing credentials – in this instance via a fake DocuSign phish that directed them to a spoofed Office 365 login.

In the second stage, the attackers behind the campaign exploited the current prevalence of bring-your-own-device policies by using the stolen credentials to register their own devices on the target network, which they then used to expand their presence on the network and propagate the attack further.

Because MFA, when correctly deployed, prevents attackers from using stolen credentials to access devices or networks, those that were using it were able to foil the campaign, but for those that did not, the attack progressed.

“This campaign shows that the continuous improvement of visibility and protections on managed devices has forced attackers to explore alternative avenues,” wrote the Microsoft 365 Defender Threat Intelligence Team. “The potential attack surface is further broadened by the increase in employees who work from home, which shifts the boundaries between internal and external corporate networks.

“Attackers deploy various tactics to target organisational issues inherent with hybrid work, human error, and shadow IT or unmanaged apps, services, devices, and other infrastructure operating outside standard policies,” they wrote.

“These unmanaged devices are often ignored or missed by security teams at join time, making them lucrative targets for compromising, quietly performing lateral movements, jumping network boundaries and achieving persistence for the sake of launching broader attacks. Even more concerning, as our researchers uncovered in this case, is when attackers manage to successfully connect a device that they fully operate and is in their complete control.”

Jason Soroko, chief technology officer of public key infrastructure at certificate management specialist Sectigo, said: “Criminals are getting smarter and can still gain results from older, proven attack vectors. In case of a phishing attack, it is no longer enough to watch out for crudely worded emails – recipients must also consider context, content and sender, particularly if financial transactions are involved. There are all kinds of malware that can get into your system through downloads or straight hacking.

“The bottom line is that usernames and passwords are not a safe method for authentication, whether used for PoS terminals or social media accounts,” he said.

“Unfortunately, reliance on the password model is still far too common. This latest vulnerability underlines just how flawed the model is, as one insecure device protected by a default password can be an entry point to a broader attack on the network.”

Comments: