If you haven’t adopted multi-factor authentication (MFA) yet, what the heck are you waiting for? MFA curtails most malicious phishing attacks, as even if an attacker has access to your login credentials, they would not be able to access the MFA code, which changes twice a minute.
However, Microsoft’s Detection and Response Team (DART) has seen an increase in the type of phishing attacks that can bypass MFA. The two methods that Microsoft outlined both rely on stealing a user’s token, or the MFA code.
Adversary-in-the-middle (AitM)
The phishing tactic known as Adversary-in-the-middle attempts to steal a user’s token instead of their login credentials. They instead insert a malicious program between the user and the legitimate program, then send a series of phishing emails, hoping to get the user to bite. If the user does click on one of their phishing emails, they will be routed to the legitimate website and log in, all without knowing that they are also sharing their information with a malicious program in the middle.
What is daunting about this tactic is that the user may not know at all that they have been phished. From their end, it could appear as business as usual. In the worst-case scenario, an attacker could gain access to the Global Administrator privilege, then hold the Azure AD tenant hostage.
Pass-the-Cookie attack
The other phishing tactic Microsoft’s DART has noticed an increase in is “pass-the-cookie” attacks. With this method, an attacker does not need authentication credentials to login, and instead compromises an internet browser’s cookies. When your browser asks if you want a particular site to remember you, those login credentials are stored as cookies in the browser. Awfully convenient for the average user, and awfully dangerous if stolen.
With cookies successfully obtained, an attacker could then pass those cookies to another browser, and retain access to all of the sites that have your information saved. The attacker does not even need to know what your email and passwords are! It’s all saved in the cookies.
Microsoft issues a warning especially to professionals who make access a company’s data through personal devices, which are typically much less secure.
Detection and protection
It can be especially difficult to manage all of a company’s devices, and even harder to ensure that every employee is following the best security practices. A few company-wide practices could include things such as:
- Shortening the lifetime of a session, thus increasing the rate of authentication.
- Shortening the time in which a token is usable, forcing an attacker to wage more frequent attacks, and thus giving your security team more chances to catch it
If a cookie is taken, there is still time to take protective action before havoc is wreaked. A company could monitor major, suspicious changes in their users’ settings. These changes might be:
- Modifying or creating security configurations
- Modifying or creating Exchange transport rules
- Modifying or creating privileged roles or users
This information is not meant to scare you. We hope that by educating our clients on these developments, we can work together to protect your information. Additionally, if your company has good cybersecurity hygiene, creates backups, and ensures that your software runs the latest update, this could prevent up to 98% of all attacks.
Read more: Token tactics: How to prevent, detect, and respond to cloud token theft – Microsoft Security Blog