Man-in-the-Middle Phishing Attack
Here’s a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication:
Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real server’s response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesn’t need to be reauthenticated at every new page visited. The campaign began with a phishing email with an HTML attachment leading to the proxy server.
Clive Robinson • August 25, 2022 8:50 AM
@ ALL,
Re : Sour wine in new bottles.
This problem is an old one and is not likely to go away time soon, because of one or more of,
1, Lazyness.
2, Stupidity.
3, Poor business choices.
4, Failing to learn from history.
So a little ICT History,
Back in the early days of Online Banking they
“Authenticated the connection not the transaction.”
With the result that people had things of value stolen.
Well even though 2FA is being used, it’s only being used to,
“Authenticate the connection”
Because of stupidity, lazyness, or poor business choices or all three Microsoft are not,
“Authenticating the transaction”
Just checking for an unchanging session ticket. Which back in the early days of the Web were easily stolen due to the way POST or GET methods worked.
Seriously folks, this is in reality a Three decade old attack method, with just a couple of wrinkles to get around HTTPS usage.
In short,
1, Utterly Predictable
2, Is a known attack method
3, Has happened to MS before
4, Shows MS is happy to allow known vulnerabilities to continue indefinatelt, for probably “business reasons”.
Which is why using the cloud for user activities is still a realy bad idea security wise, and will continue to be so, for quite a long time to come.
But hey, don’t let me stop people making the same mistake endlessly…
I’m unkikeky to be around in another three decades, but what is the betting the same mistake will continue to happen even then?