Updated 18/07/2022 with comments from Technical Director Ade Taylor.
Microsoft security researchers have discovered an active exploit which allows malicious actors to bypass MFA by stealing credentials AND session cookies from targeted users and replaying both to Microsoft cloud services (such as Office 365) sign-in pages. This leads to a Business Email Compromise (BEC). Microsoft estimate that more than 10,000 organisations have been targeted since September 2021, but the success rate is currently unknown. This attack is significant because it specifically bypasses the need for MFA, vastly increasing the number of users and organisations who are vulnerable.
This method of attack (MiTM or AiTM) is, of course, by no means new, and using it to read user session authentication cookies was proven as far back as 2018 (check out the first reference link at the bottom of this post for a great write-up from the time).
It follows, of course, that Microsoft’s services are far from the only ones to be vulnerable to such an attack – pretty much any application which sends a cookie for your browser to store post-authentication could be tricked into giving access to a malicious user if that cookie is captured and replayed.
One of the weaknesses of this compromise from an attacker’s point of view is that it only works if you use a registered domain and a legitimate (well, legitimate in the sense that it’s from a recognised CSA), SSL certificate. This means that once you start, you have a very small window before all of your infrastructure gets burned as security firms pick up on the obvious indicators of compromise associated with your attack, and you need to start again – simple enough but time consuming and annoying, and perhaps self-limiting in terms of the scale a single attacker can achieve.
Lastly, using a method of authentication which directly links you, the user, to the destination webserver / application regardless of intermediaries, brings almost copper-bottomed protection against this type of attack. Issuing users (perhaps even just those users at highest risk like M365 admins or execs) with U2F FIDO keys protects them completely where the application supports it, as there is an interrogation of the local USB key as the second factor. I know, I know – this has been shown to be theoretically breakable, but it requires an awful lot more work and almost total compromise of the end-point, by which time the attacker has what they wanted anyway and cookie replay is moot.
Ade Taylor, Technical Director, Secrutiny
Title of threat: Microsoft AiTM BEC / MFA cookie theft
Date threat first identified: July 12th, 2022 (active since September 2021)
Risk Severity: Critical – 9/10
- Threat actors use a phishing campaign based on Evilginx2 framework
- Victims provide credentials to a fake MS 365 authentication site
- The attack code instantiates a proxy to perform an Attacker In The Middle (AiTM) attack
- The victim’s MS authentication cookie is read and copied
- Stolen credentials, together with the stolen cookie, are replayed to the genuine MS 365 authentication portal
- BEC active
Risk to the customer
A successful BEC using this technique allows an attacker to gain access to confidential mailboxes, and, depending on the permissions of the compromised user, potentially to administrative functions.
What you need to do
There are a number of ways to reduce or mitigate the risk of this attack:
- Enforce conditional access policies so that only authorised devices or networks can connect to MS services.
- Ensure anti-phishing platforms are in place and updated (MS have published a list of known IoCs here).
- Windows Defender customers have a degree of AiTM protection built-in – these customers should check that their Defender definitions are up to date.
What Secrutiny are doing
Our SecDevOps and SOC teams are creating rules to detect this exploit based on the provided IoCs and on correlation of events from various sources to indicate anomalous authentication. We will be carrying out threat hunting using these rules for all of our customers in the coming hours.
For any further questions, please feel free to contact us.
External supporting references: