How hackers managed to bypass Microsoft’s two-factor authentication

3

You don’t need to be a computer genius to carry out phishing attacks. This is proven by the latest scam attempt discovered by Microsoft. A hack that bypasses the double authentication mechanism.

Microsoft has been the victim of a new major cyberattack. In a blog post published on July 12, the Redmond publisher details how hackers have tried to infiltrate the mailboxes of more than 10,000 companies since September 2021. Already worrying enough, the news is an even more embarrassing character: the hackers have indeed managed to circumvent the double authentication mechanism.

A simple pirate server

As a reminder, double authentication consists of reinforcing the security of your web accounts by protecting them with a second layer of identity verification. In addition to a password, accounts with double authentication require entering a unique and temporary code generated by an application on the telephone or received by SMS. This method relies on the logic “what you know (the password) + what you have (the phone)”. This process is used in particular by most French banks.

Two-factor authentication (or 2FA) is not foolproof, however, as these recent attacks prove. The modus operandi of pirates is also of a confusing simplicity. By posing as a Microsoft login portal, the hackers recovered users’ email and password. They then forwarded this information to the real Microsoft site. When a double authentication request appeared on Microsoft’s side, the pirate server also displayed a page inviting Internet users to enter their double authentication code. Once the latter was entered on the fake web page, the hackers transmitted it to the real site and thus accessed the targeted electronic mailbox.

Advertising, your content continues below

Attack diagram illustration

Attack scheme used by malicious hackers —

© Microsoft

Once access was confirmed, the hackers kept the login cookie allowing them to access the e-mail box. There followed a sending of fraudulent messages in which the hackers asked other employees of the company to transfer large sums of money under the pretext of professional needs. To cover their tracks, they then created advanced email filters to archive and mark all scam response messages as read. Thus, even if the legitimate Internet user connected to his electronic mailbox, no trace of piracy appeared.

Double authentication, always better than nothing

It is difficult to describe the scheme of this scam as very complex. Especially since the original phishing e-mail (the one that redirected to the fraudulent login page) sometimes suffered from formatting problems and asked to download an MP3 file supposedly deposited on the victim’s professional e-mail box. Not enough to mislead Internet users experienced in this kind of attack. But the simplicity of this scam, combined with the fact that the system is able to circumvent double authentication mechanisms, is a bitter reminder that no computer device is inviolable.

However, double authentication remains essential security for anyone wishing to protect their personal data. But it does not protect against the everyday problems of inattention that affect us all.

Advertising, your content continues below

Advertising, your content continues below

Leave a Comment