Microsoft published a report detailing phishing attacks experienced by more than ten thousand organizations since September 2021. The information shows that hackers and crackers mostly use adversary-in-the-middle (abbreviated: AiTM) reverse proxies to gather sensitive data.
About Phishing in 2020–2021
Phishing, or sending fake emails pretending to be a trusted entity while stealing data, remains one of the most “popular” cyber attack forms. Microsoft 2021 report shows that there were more sophisticated and complex attacks during 2020 when e-commerce and online work became the top trends due to the pandemic. The attackers targeted big companies that have many affiliates and syndicates to spread malicious software to the maximum. The chart published by Microsoft states that cybercriminals focused on entering the systems of:
- Retail — 13%
- Financial and insurance institutions — 12%
- Manufacturing enterprises — 12%
- Governmental centers — 11%
- Healthcare systems — 9%
- Education — 7%
- Professional services — 7%
- Telecom — 6%
- And other targets, including media, real estate, and systems of the energy sector.
2022 Phishing Issue
Attackers attempted more than 10,000 attacks since September 2021, and Microsoft published its report on July 12, 2022. The company states that cybercriminals use Attacker-in-The-Middle reverse proxies to mimic Office 365 login requests. That, in turn, demands a user’s multi-factor authentification (abbreviated: MFA).
Attackers then use those details to enter the original site and ensure their success with cookie stealing. And data stealers fix their results by creating rules on the stolen accounts. Hence, hackers and crackers may enter the system even if the attacked one changes passwords everywhere.
Microsoft managed to unify information about the attacks. The report explains how criminals act. Here is an instance:
Phase 1: Attackers send an email with an HTML file attachment to numerous organizations. Many of such emails said that there was an audio message.
The attacked one clicked to download the voice message and got redirected to a page that said the download was in the process. Yet, the download bar was fake (hardcoded in HTML), and there was no audio.
Phase 2: The redirector functions as a gatekeeper. It ensured that the user was coming from the original HTML attachment. The user then saw a fake login page that requested the details (as a rule, the Microsoft one). Moreover, those websites sometimes mimicked real landing pages if users included their branding in the Azure AD.
Phase 3: Post-breach. Attackers hijacked accounts in five minutes and started performing fraud.
Phase 4: Finding new victims. Cybercriminals analyzed emails that contained financial information. After finding a relevant dialogue, the cracker set new account rules to minimize the possibility of the real account owner noticing any suspicious activity. So, the attacker made every new email from the new target go to the archive marked as read. Criminals also deleted all new threads.
Phase 5: Communicating with the target directly. Some fraudsters communicated with various companies simultaneously. Sometimes the attackers had to impersonate real business doers for days. Of course, they deleted emails, so the owner could not see anything. If the attacker started emailing a new target, they set the same rules (see Phase 4) for the new company.
Is There a Solution if MFA Might Not Help?
Businesses and organizations see that multi-factor authentification is a necessity today — and it objectively is necessary. It seems and IS a solid shield from unwanted onlookers. Yet, when criminals see an obstacle, in their vision, it becomes a challenge, not a problem. So, the AiTM reverse proxy tactic has emerged because MFA has become the standard protection means. And Microsoft highlights that MFA remains a practical and effective tool for preventing confidentiality issues and breaches. But the company also recommends:
- Turning on conditional access policies;
- Investing in novel anti-phishing solutions. For instance, leveraging the browser to identify and block malicious websites (many of them are vital for phishing). Also, advanced Microsoft systems may detect that there is a VPN used during authentification.
- Never neglect to monitor anomalous activities.