Microsoft IT security teams claim to have discovered a large-scale phishing campaign, capable in particular of circumventing two-factor authentication. Specifically, it uses HTTPS proxy techniques to hijack Office 365 accounts. In total, no less than 10,000 companies have been affected.
In recent years, phishing or phishing has become one of the favorite methods of hackers. Easy to set up, making it possible to target a maximum of potential victims and offering high revenues, phishing campaigns represent an ideal weapon for hackers.
Moreover, they no longer hesitate to target users of public institutions and well-known companies such as URSAFF, Mon Espace Santé or the delivery company DHL. On this Thursday, July 14, 2022, Microsoft has just published on his blog dedicated to security details about a phishing campaign scale that would have affected more than 10,000 companies worldwide since its launch in September 2021.
According to the statements of computer security researchers from the Redmond firm, this vast campaign used HTTPS proxy techniques to hijack Office 365 accounts. The goal is to compromise professional emails. Once in possession of these professional mailboxes, the hackers contacted the customers and partners of these companies in order to obtain fraudulent payments. This technique is called BEC for Compromised Business Email.
A phishing campaign that ignores 2FA
The modus operandi is as follows: hackers send malicious emails containing corrupt HTML attachments. By clicking on it, victims are redirected to fake Office 365 login portals. This is where this phishing campaign differs from a classic phishing operation. This is because the user’s email address is encoded in the URL of the redirect page. It is then used to pre-populate the login field on phishing pages.
This done, phishing pages act as a proxy and extracts the credentials entered by the user from the legitimate Office 365 site, while displaying the two-factor authentication prompt. Through this method, the hackers were able to recover the login password as well as the session cookie. This last element is essential, since it allows the user to remain connected without having to authenticate again during his session.
that is how hackers get control of the victim’s entire work mailboxand have a free hand to send emails to employees, customers and business partners, in the hope of obtaining a fraudulent payment.