A new phishing campaign has been discovered that is capable of bypassing Multi-Factor Authentication (MFA) on Office 365. 

What happened

Researchers at Cofense have discovered that a new phishing campaign that gains access to the user data and uses it to extort bitcoin ransom. The campaign utilizes the OAuth2 framework and OIDC protocol and uses a malicious SharePoint link to trick victims into granting permissions to a rogue application.

This is not the first incident

There are various ways to bypass MFA, including SIM swapping, using transparent proxies, and exploiting vulnerabilities in applications managing MFA. Some of the previous attacks are:
  • In 2019, a financial institution was hacked where the threat actor exploited a flaw in the website to bypass the 2FA. 
  • In 2016, customers of a U.S. bank were targeted through SIM swapping. 

What the experts are saying

  • Cofense researchers have stated that phishing attacks cannot be prevented just by the implementation of MFA.
  • The OAuth2 framework phish is a pertinent instance of adversary adaptation. It tricks users into allowing malicious access to their information.

Worth noting

  • Although the most basic consequence of a successful attack is gaining access to cloud-hosted sensitive information, attackers rarely stop there.
  • The sensitive information can be leveraged to extort victims for Bitcoin ransom and procure the victim’s address book to find fresh victims.

In essence

Despite a rise in the number of MFA bypass attacks, these attacks are rare and have not been automated at scale. According to statistics, MFA users are protected from 99.9% of all sorts of account hacks.

Cyware Publisher

Publisher

Cyware