Cofence Phishing Defence Center have discovered yet the latest of cybercriminals’ tricks: a phishing campaign that bypasses MFA. Different from other credential harvesting attacks, the scam attempts to trick users into granting permissions to an application that then proceeds to bypass multifactor authentication.
Leveraging the OAuth2 framework and OpenID Connect protocol, this campaign’s main goal is to steal user information to be used as leverage to extort a Bitcoin ransom.
Here’s cybersecurity experts’ advice and insight on this sophisticated scam:
Daniel Conrad, field strategist at One Identity
This is a very well-crafted phish as it “front ends” O365 with a malicious SharePoint site. When the user authenticates to O365 it grants this site access to the users data. It goes beyond the simple gaining of a user’s password and possibly moving laterally or elevating privilege. From an attacker’s perspective, this type of effort would be used for specific targets (aka “whaling”), where they would attempt to get specific account information from specific, high-level users. It’s a bit like a man-in-the-middle but for O365. Once authenticated, they would have access to anything stored on the O365 platform such as corporate email, contacts, OneDrive, etc., which they can take and hold for ransom or use maliciously.
As organisations train users on phishing and who is after their identities, attackers are learning as well. This attack underlines the importance of separating privileged credentials from standard user credentials. Any account with elevated permissions should not be “phishable”.
Tarik Saleh, senior security engineer and malware researcher at DomainTools
This kind of attack is definitely concerning, but not surprising. Cybercriminals are constantly looking for new and inventive ways to get ar ..
Support the originator by clicking the read the rest link below.
