Microsoft’s IT security team claims to have discovered a large-scale phishing campaign that is particularly capable of bypassing two-factor authentication. Specifically, it uses HTTPS proxy techniques to hijack Office 365 accounts. In total, no less than 10,000 companies have been affected.
In recent years, phishing or phishing has become one of the hackers’ favorite methods. Easy to set up, allowing to target a maximum of potential victims and offering high revenue, phishing campaigns represent an ideal weapon for hackers.
Furthermore, they no longer hesitate to approach users of public institutions and well-known companies such as URSAFF, Mon Espace Santé or the delivery company DHL. On this Thursday, July 14, 2022, Microsoft has just published it his blog dedicated to security information about a phishing campaign scale that would have affected more than 10,000 companies worldwide since launch in September 2021.
According to computer security researchers from the Redmond company, this huge campaign used HTTPS proxy techniques to hijack Office 365 accounts. The goal is to compromise professional emails. Once in possession of these professional mailboxes, the hackers contacted the customers and partners of these companies to obtain fraudulent payments. This technique is called BEC Compromised corporate email.
A phishing campaign that ignores 2FA
The modus operandi is as follows: hackers send malicious emails containing corrupt HTML attachments. By clicking on it, victims are redirected to fake Office 365 login portals. This is where this phishing campaign differs from a classic phishing operation. This is because the user’s email address is encoded in the URL of the redirect page. It is then used to pre-populate the login field on phishing pages.
This is done, phishing sites act as a proxy and extracts the credentials entered by the user from the legitimate Office 365 website, while displaying the two-factor authentication prompt. Using this method, the hackers were able to recover the login password as well as the session cookie. This last element is important as it allows the user to remain connected without having to re-authenticate during their session.
It is so hackers gain control of the victim’s entire work mailboxand has a free hand to send emails to employees, customers and business partners in the hope of obtaining a fraudulent payment.