Hackers are able to hijack Outlook email accounts even if they’re protected by multi-factor authentication, Microsoft has warned.
The company’s cybersecurity teams from the Threat Intelligence Center, and the Microsoft 365 Defender Research Team have uncovered (opens in new tab) a new large-scale phishing campaign that targeted more than 10,000 businesses in the past year.
The compromised email accounts are later used for business email compromise (BEC) attacks, in which the victim’s business partners, clients, and customers, end up being defrauded for their money.
Stealing session cookies
The victim would receive a phishing email, with a link to log into their Outlook account. That link, however, would lead them to a proxy site, seemingly identical to the legitimate one. The victim would try to log in, and the proxy site would allow it, sending all of the data through.
However, once the victim completes the authentication process, the attacker would steal the session cookie. As the user doesn’t need to be reauthenticated at every new page visit, that gives the threat actor full access, as well.
“From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com),” Microsoft’s blog post said. “In multiple cases, the cookies had an MFA (opens in new tab) claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account.”
After getting hold of the email account, the attackers would proceed to target the contacts in the inbox, using the stolen identities to try and trick them into sending payments of various sizes.
To make sure the original victim stays oblivious to the fact that their email accounts are being abused, the attackers would set up inbox rules on the endpoint, marking their emails as read by default, and moving them to archive, immediately. The attackers would check the inbox every couple of days, it was said.
“On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox,” Microsoft says. “Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets’ organization domains.”