Microsoft Details an Advanced Phishing Scheme Aimed at Numerous Financial Institutions
Sophisticated Phishing Tactic Bypasses MFA
Experts from Microsoft Defender discovered a complex scam involving phishing and fraudulent business emails aimed at banks and financial services. The scam started with a hacked trusted vendor, then spread through multiple companies via a series of sophisticated attacks. The scam highlights the tricky nature of these threats, which misuse the trust between vendors and partners to commit financial fraud.
Microsoft Defender experts found a complex scam that ended in a typical phishing attack and business email trickery. However, it stood out due to its use of an indirect proxy – a different method than usual. This gave the criminals more control, allowing them to personalize their scam pages and steal session cookies more effectively. After stealing these cookies, the criminals could sign in and change multi-factor authentication (MFA) settings without a challenge because the MFA wasn’t set up securely. The scam also involved a second round of phishing, where over 16,000 emails were sent to the initial victim’s contacts.
This scam shows how tricky these attacks can be and how strong our defenses need to be in response. Simply changing a compromised password isn’t enough – the affected companies also need to cancel the stolen session cookies and undo any changes the criminals made to the MFA settings. This event underlines the need to constantly search for new threats and tactics used by criminals to protect ourselves effectively.
The criminals used a phishing toolkit made by a group that Microsoft is tracking as Storm-1167. Microsoft gives the “Storm-####” names to emerging threats until we’re confident about who is behind the attacks.
How to Stop Phishing Attacks
Usually, when an identity is compromised, the best response is to change the password for the affected user. But in phishing attacks, this isn’t enough because the sign-in session is compromised too. Plus, even if you reset the password and cancel the sessions for the compromised user, the attacker can still keep control by messing with MFA. For example, they might add a new MFA rule that lets them sign in with a one-time password (OTP) sent to a phone number they control. With these methods, the attacker can keep control over the victim’s account, even if you take traditional steps to stop them.
Despite phishing attacks trying to get around MFA, it’s still a crucial part of securing identities and can stop many different types of threats. The reason attackers came up with the technique of stealing session cookies is because MFA works so well. Organizations should work with their identity provider to make sure they have MFA in place. Microsoft customers can do this through various ways, like using the Microsoft Authenticator, FIDO2 security keys, and certificate-based authentication.
