Abnormal Attack Stories #2: Microsoft Impersonation => Phishing + MFA Bypass

Quick Summary:

• Platform: Office 365
• Mailboxes: 2,500 to 5,000
• Email Gateway: None
• Email Security Bypassed: Microsoft ATP
• Victims: IT Administrators
• Payload: Link
• Technique: Vendor Impersonation

What was the attack?

• Setup: The attacker compromised an existing domain that did not have any bad reputation associated with it (e.g. off-55.tk). The attacker then registered a new domain that sounded very similar to a Microsoft domain (e.g. powerapps.com) .

• Email Attack: The attacker sent emails from the this domain with the subject line “Business Essentials Expired” and targeted employees at enterprise companies that worked in IT roles, specifically O365 or messaging administrators. The message tried to get the IT admin to click on the link to log in to the O365 admin portal.

• Payload: The attacker set up a fake Microsoft login page where the user name was pre-populated based on a query string in the URL. The fake Microsoft login page would accept any password entered and would then send victim to a second page to capture a 2FA credential that was entered by the victim (sent via SMS). Once the MFA was captured the victim was redirected to a real Microsoft error page (on a Microsoft owned domain).
• Result: When users were tricked by this workflow the attacker was able to steal both the username / password and 2FA code.

Why is this attack effective?

• Safe Reputation: The attacker was able to bypass Microsoft EOP + ATP by using new or existing domains that did not have negative reputation on the domains.
• Urgency: The attacker was able to engage users because the targeted victims (IT admins) we’re used to seeing administrative emails; by using urgency and fear of potential downtime, attackers pushed their targets to act quickly and without giving the email much scrutiny.
• Familiarity: The attacker customized the links in the email attack to include the user’s email address in the query string, which caused the fake Microsoft login page to have the username pre-populated (similar to what the user would expect if they went to the real version) .
• Unaware Victim: After the victim went through the authentication flow, they were sent to a real error page on the Microsoft domain which hid the fact that their credentials were sent to the attacker rather than Microsoft, delaying the detection of compromise.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.