Microsoft has reported on a new man-in-the-middle phishing campaign, which targeted over 10,000 organizations in the last year

What’s most notable about this attack is that it stole passwords, and skipped the authentication process–even if the user had enabled MFA.

While not a vulnerability in MFA, it does make one thing clear: MFA is not a panacea.

In this case that Microsoft reported on, the first step started with emails that had an HTML file attachment. When clicking on the file, it loaded in the browser and showed that a voice message file was being downloaded. What actually happened was that the page redirected the user to a phishing site. The user’s email was encoded via Base64 and saved it, so that the phishing page filled out the sign-in on the user’s behalf. 

Once the end-user entered their credentials, the attackers steal the credentials and get authenticated.

From there, they can start to perform BEC campaigns from within the organization. This is not necessarily a sophisticated attack, as threat actors just need to purchase a ready-made kit. This attack can work in Gmail or in Microsoft.

In this attack, it doesn’t matter what form of MFA the user deploys. Because the man-in-the-middle attack steals the cookie, the attacker automatically gets authenticated into the user’s session. In other words, MFA won’t keep you safe. 

Microsoft has promoted MFA as a cure-all. In fact, they say that MFA can prevent 99.9 percent of attacks. However, hackers have found a way around it. Even if you use MFA, this attack can still happen. Because they have the session cookie, they can begin to commit payment fraud. 

This doesn’t mean that MFA should be abandoned. But think about it: You know when you get an alert on your phone that someone has signed in to your YouTube account? How many times have you blindly given access, thinking it’s a family member? That may be the case, but we’re conditioned to just allow access. That plays in the hackers’ favor.

To better defend against these sorts of attacks, a few things are needed. 

-Conditional access. This means that access is dependent on a few things, such as monitored devices or trusted IPs.

-Anamoly protection: This means leveraging logs from existing SaaS email & collaboration providers, and cross-referencing that activity against our database of suspicious behavior that we gather from our customer base and from ThreatCloud. 

-BEC Protection: This means having machine learning algorithms that combine with role-based contextual analysis of previous conversations to determine the threats that others have missed. On deployment day, we analyze one year's worth of email conversations to build a trusted reputation network. We scan and quarantine internal email and files in real-time, preventing east-west attacks and insider threats. Finally, we have account takeover protection that goes beyond email, looking at login events, configuration changes and end-user activities throughout the suite. 

There are a million avenues where a bad link can arrive. After clicking, what happens next? Complementing MFA with conditional access, anomaly protection and more is essential.  We also have an MFA anomalies engine, which detects login operations that failed the MFA stage.

Multi-factor authentication is another form of perimeter security, but the cloud has no perimeter. People often think that because they have MFA, they’re immune to phishing attacks. To be clear, MFA is not designed to stop attacks not related to logins. It only secures online accounts at the perimeter, when the user logs in to gain access. 

Here are some scenarios where MFA security can not stop phishing:

  • Spoofed login pages
  • Impersonation attacks 
    • CEO fraud
    • BEC
    • Fraudulent requests for the transfer of funds or W-2s
  • Embedded links to malware

MFA is one critical layer of defense in depth security. But it's not the only defense. The best defenses require multiple layers. That's where Avanan can help.