News

Microsoft Credits Multifactor Authentication in Blocking Second-Stage Phishing Attacks

• By Kurt Mackie
• 02/04/2022

Microsoft explained last week that it is seeing multiphase phishing attacks getting tried that could be successful against organizations that haven't implemented multifactor authentication (MFA).

MFA is the use of a secondary means of verifying the identity of someone trying to access a network, beyond just a user name and password. Attackers are now taking advantage of networks not using MFA to use stolen credentials to join the victim's network, setting the stage for further phishing attempts. This scheme is labeled "evolved phishing" by Microsoft.

"Evolved Phishing"
Attackers first try to steal credentials in an initial phishing attack in order to gain account privileges on a network. Once on the network, secondary phishing attacks begin. Attackers with e-mail account access can then send "intra-organizational emails" and external mails, extending the campaign.

In the first stage of the attack, victims get sent a document attachment to click on in an e-mail. The attachment falsely claims to have DocuSign security protections. Victims get directed from the attachment to a phishing Website to enter their user names and passwords. At that point, an Exchange Online PowerShell script gets executed. It sets up blocks on the victim's incoming e-mails that contain language about phishing attempts and hacked accounts, so that they don't get alerted.

Microsoft found "over one hundred" mailboxes compromised in this way during its investigations.

The second stage of the attack takes advantage of the ability to register bring-your-device-type machines on a network using stolen credentials. In these cases investigated by Microsoft, Azure Active Directory was involved, but the scheme might have worked as well if Microsoft Intune were used for identity and access management.

"Connecting an attacker-controlled device to the network allowed the attackers to covertly propagate the attack and move laterally throughout the targeted network," the announcement explained.

Microsoft Outlook was installed on these attacker machines joined to the network, and things may have been eased "by simply accepting Outlook's first launch experience prompt to register the device by using the stolen credentials," Microsoft explained.

Use Multifactor Authentication
Microsoft contended that the use of MFA would have blocked such secondary phishing attacks, including the device registration process and the use of Outlook.

"Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain," the announcement stated.

Microsoft described these kinds of attacks as mostly occurring in "Australia, Singapore, Indonesia, and Thailand," without describing exactly when they occurred.

Microsoft advises using MFA for protection. It also touted use of the Microsoft 365 Defender service as being capable of coordinating cross-domain signals to discover such attack campaigns, as well as Microsoft Defender for Endpoint to find unmanaged devices accessing a network.

Also touted was Microsoft Defender for Office 365 for "post-delivery protection" and "outbound spam filter policies," plus Safe Links for the detection of "malicious URLs."

"Cyber Signals" and Low MFA Use
This week, Microsoft indicated that it has released a C-level-executive "cyber threat intelligence brief" called "Cyber Signals" (PDF download), which Microsoft is planning for quarterly distribution.

Identity is billed as prime attack territory in the current "Cyber Signals" brief, which draws its conclusions from "24 trillion daily security signals" collected over the last two months. MFA use can block the bulk of these types of attacks, but just 22 percent of Microsoft's Azure Active Directory customers are using it, according to Vasu Jakkal, corporate vice president for security, compliance and identity at Microsoft:

While threats have been rising fast over the past two years, there has been low adoption of strong identity authentication, such as multifactor authentication (MFA) and passwordless solutions. For example, our research shows that across industries, only 22 percent of customers using Microsoft Azure Active Directory (Azure AD), Microsoft's Cloud Identity Solution, have implemented strong identity authentication protection as of December 2021.

Jakkal didn't offer an explanation about why MFA use was so low, however.

Microsoft also this week announced other security information resources for C-level executives. An "Uncovering Hidden Risks" podcast is said to be launching in its third season in March. There are ongoing "Security Unlocked" podcasts that feature talks from security luminaries at Microsoft as well.

Microsoft also this week touted Azure Firewall Premium to ward off ransomware attacks. Azure Firewall Premium can detect and prevent intrusions by attackers, and it also has packet-inspection capabilities, Microsoft contended.