Security researchers have uncovered a new phishing campaign capable of bypassing multi-factor authentication (MFA) in Office 365 to access user data stored in the cloud.
The discovery was made by the Cofense Phishing Defense Center and the new phishing technique, which leverages the Oauth2 framework and the OpenID Connect (OIDC) protocol, uses a malicious SharePoint link in order to trick users into granting permissions to a rogue application.
However, this campaign is quite different from a typical credential harvester due to how it tries to trick users into granting permissions to the attacker's application that is capable of bypassing MFA.
- Cofense: Why it’s time for everyone to defend against phishing
- Skype phishing attack targets remote workers
- Keep your devices protected online with the best antivirus software
In a blog post, Cofense researcher Elmer Hernandez explained how the phishing campaign leverages users themselves to access their data, saying:
“The OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data.”
The attackers try to lure victims into opening their phishing email, which mimics a normal invite to a SharePoint hosted file, with the promise of a Q1 bonus.
After clicking on the link, users are taken to what appears to be the the legitimate Microsoft Office 365 login page. However, after carefully inspecting the long-form URL, Cofense researchers found clues to its real intentions. Unlike security researchers, average users rarely take the time to inspect URLs and most people wouldn't think twice about how the URL of the web page used by the attackers is actually much longer than it should be.
Additional parameters in the fake URL show how the attacker can trick a victim into giving their rogue application permissions to their account. For instance, the redirect uri parameter actually sends responses to a domain located in Sofia, Bulgaria and hosted by BelCloud.
If a user falls for this phishing scheme, an attacker could gain access to all of their emails and cloud hosted documents. With this information in hand, the attacker could then use it to extort victims for a Bitcoin ransom or use their contact list to find other potentially susceptible targets.
Cybercriminals are constantly developing new techniques to bypass security solutions and this new phishing campaign is not only clever but also quite dangerous. To avoid falling victim to this and other phishing attacks, it is highly recommended that users exercise caution when opening emails or clicking on links sent from unknown sources. Also if an email's subject seems too good to be true, it probably is.
- We've also highlighted the best endpoint protection software