O365 Cookies hijacked to perform Financial Fraud

A massive phishing campaign has been targeting Office 365 users since September 2021 and successfully bypassing MFA set up to protect the accounts.

The attackers use proxy servers and phishing websites to steal users’ password and session cookie with an ultimate goal of financial front.

The attackers start by sending phishing emails to multiple recipients in different organizations. The emails are usually fake notifications about missed phone call and urge the recipient to download the attached file to listen to the recorded voice message and redirected to a spoofed Office online auth page that’s been populated with the target’s email address.

The phishing site proxied the organization’s Azure Active Directory sign-in page, which is typically  login.microsoftonline.com. If the organization had configured their Azure AD to include their branding, the phishing site’s landing page also contained the same branding elements.

Once the attackers had access to the compromised email accounts, they searched for finance-related emails and email threads, responded to them and attempted to defraud on the other side. To hide this activity from the owner of the email account, they used rules to hide replies.

Using any form of MFA is better than not using it at all, though some ways of delivering authentication factors are safer than others. There exists ways to bypass MFA, and attackers are trying them all: rogue apps, legacy auth protocols, spamming a target user with MFA prompts, and others.

The attackers being this campaign are using the Evilginx2 phishing kit to stand up their adversary-in-the-middle infrastructure and achieve MFA-bypassing capability.