When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Beware: Microsoft email users, even with MFA on, are unsafe from this new phishing attack

Neowin · · Hot! with 23 comments

Microsoft Exchange and Outlook symbols with a danger skull sign

Microsoft email service users need to be careful out there. That's because Zscaler, a cybersecurity research firm, has discovered a new ongoing phishing campaign targeting Microsoft email users. According to its findings, corporate users are under attack and the campaign is being run using adversary-in-the-middle (AiTM) technique to bypass multi-factor authentication (MFA).

The AiTM technique, as the name suggests, places an adversary in the middle to intercept the authentication process between the client and the server to steal credentials during the exchange. This means the MFA information is also stolen. Basically the adversary in the middle acts like the server to the real client and the client to the real server. The image below, ironically from Microsoft itself, shows how AiTM works:

AiTM attack mechanism

The analysis of this phishing campaign was done by Zscaler's ThreatLabz and it has summarized the attack into the following key points below:

Key points

  • Corporate users of Microsoft's email services are the main targets of this large-scale phishing campaign.
  • All these phishing attacks begin with an email sent to the victim with a malicious link.
  • The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor.
  • In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign.
  • Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the US, UK, New Zealand and Australia are targeted.
  • A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks.
  • Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems.
  • Numerous URL redirection methods are used to evade corporate email URL analysis solutions.
  • Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign.

Zscaler also notes some attacker-registered domains which were typo-squatted versions of legitimate Federal Credit Unions in the US:

Attacker-registered domain Legit Federal Credit Union domain
crossvalleyfcv[.]org crossvalleyfcu[.]org
triboro-fcv[.]org triboro-fcu[.]org

cityfederalcv[.]com

cityfederalcu[.]com
portconnfcuu[.]com portconnfcu[.]com
oufcv[.]com oufcu[.]com

You can find more technical details in the official blog post on Zscaler's website here.

Report a problem with article
Next Article

Nintendo Switch crosses 111 million units in latest sales data

Images from the Apples&039s Peek Performance event
Previous Article

Latest update for iPad won't arrive with iOS 16 as Apple struggles with software issues

Join the conversation!

Login or Sign Up to read and post a comment.

23 Comments - Add comment