Researchers have now just discovered a worrying new phishing campaign giving hackers access to user data without actually a password.
This new hack utilises OAuth2 framework & OpenID Connect protocol to access user data, bypassing 2FA.
According to a blog post by Cofense, the technique basically uses the OAuth2 framework & OpenID Connect (OIDC) protocol to access user data.
Cofense researcher Elmer Hernandez observed that these attacks are not, “a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn’t have helped,” he cautioned. “Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it’s a stark reminder that phishing isn’t going to be solved by Multi-Factor Authentication.”
Microsoft Office 365
Phishing email is crafted to resemble a normal invite to a SharePoint hosted file about a ‘possible bonus’. Then this leads-in to what appears to be a Microsoft Office 365 login page at https://login.microsoftonline.com. The URL directs an application to access & copy contacts & sends them to a domain apparently based in Bulgaria.
“If the attackers were successful, they could grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information. Once the attacker has sensitive information, they can use it to extort victims for a Bitcoin ransom,” comments Hernandez.
“The same permissions can also be used to download the user’s contact list to be used against fresh victims. Using the address book and old emails would allow the attacker to create hyper-realistic Reply-Chain phishing emails.”
Niamh Muldoon, Senior Director of Trust & Security EMEA at OneLogin, explained that this new form of assault clearly reveals that multi-factor authentication by itself is, unfortunately, simply insufficient to fully protect against these sophisticated phishing attacks & now even traditional forms of two-factor authentication can, it appears, be compromised.
“Multi-factor authentication using the ‘something you are’ component biometrics reduces this risk. Leaders Digital Identity space are using AI to model user behaviours for access to systems & data, if a user’s risk profile changes, then so do does their authentication mechanism along with ability to execute privileges, this makes it more complex and difficult for malicious attackers to be successful in gaining access,” she counselled.
Daniel Conrad, Field Strategist at One Identity, further added that this is a ‘very well-crafted’ phish as it “front ends” O365 with a malicious SharePoint site. When the user authenticates to O365 it grants this site access to the user’s data. This goes well beyond the simple obtaining of a user’s password & possibly moving laterally or elevating privilege.
“From an attacker’s perspective, this type of effort would be used for specific targets aka “whaling”, where they would attempt to get specific account information from specific, high-level users.
It is a bit like a ‘man-in-the-middle’ but for O365. Once fully authenticated, they would have access to anything stored on the O365 platform such as corporate email, contacts, OneDrive, etc., which they can take and hold for ransom or use maliciously,” he concluded.