Search This Blog

Showing posts with label Multi-factor authentication. Show all posts

Hackers Breached Accounts of Twilio Users

According to data provided by Twilio, hackers were able to obtain information from "a limited number" of customer accounts through a breach including data theft of employee credentials.

On August 4th, a hacker sent SMS messages to Twilio employees asking them to change their passwords or informing them of a change in their schedule. Each message contained a URL that contained phrases like "Twilio," "SSO" (single sign-on), and "Okta," the brand of user authentication service that is employed by numerous businesses. Employees who clicked on the link were taken to a fake Twilio sign-in page, where hackers were able to capture the data they entered.

When the breach was discovered, Twilio worked with US phone providers to shut down the SMS system and also requested that web hosting companies remove the fake sign-in sites. Twilio reports that hackers were still able to switch to different hosting companies and cell carriers in order to continue their assault.

Facebook and Uber are two of the more than 150,000 businesses that use Twilio.

Laurelle Remzi, an official for Twilio, declined to reveal how many customers were impacted or what data the hackers got. According to Twilio's privacy statement, the data it gathers includes addresses, payment information, IP addresses, and, in certain situations, identification documentation. 

The hackers are skilled enough to switch between telco carriers and hosting providers using social engineering lures, according to Twilio, a dominant player in the enterprise communication API market with 26 offices across 17 countries. Twilio classified the situation as ongoing.

The company didn't specify whether the social engineering attacks were successful or whether any MFA (multi-factor authentication) hurdles were encountered by the attacker.

According to Twilio, its security team has terminated access to the hacked employee accounts in order to reduce the effect of the attack and has contacted a third-party forensics company to assist in the investigation.

Microsoft Now Permits IT Administrators to Evaluate and Deactivate Inactive Azure AD users


Azure Active Directory has received a handful of security updates from Microsoft. In preview, the business has unveiled a new access reviews tool that allows enterprises to delete inactive user accounts which may pose a security concern. Users who created the new Azure AD tenant after October 2019 received security defaults, however, customers who built Azure AD tenants before October 2019 did not receive security defaults. 

According to Microsoft, the Azure AD security defaults are utilized by around 30 million companies today, and the defaults will be rolled out to many more organizations, resulting in the settings protecting 60 million more accounts. IT admins could now terminate Azure AD accounts that haven't signed in for a certain number of days. 

The Azure Active Directory Identity Governance service now includes the new access review feature. It's useful for companies who don't want contractors or former employees to have access to sensitive data. Azure Active Directory (Azure AD) is a Microsoft cloud service that manages identification and authentication for on-premise and cloud applications. In Windows 2000, it was the advancement of Active Directory Domain Services. 

"The term "sign-in activity" refers to both interactive and non-interactive sign-in activities. Stale accounts may be automatically removed during the screening process. As a result, your company's security posture increases," Microsoft explained. 

According to Alex Weinert, Microsoft's director of identity security, the defaults were implemented for new tenants to ensure that they had "minimum security hygiene," including multi-factor authentication (MFA) and contemporary authentication, independent of the license. He points out that the 30 million firms which have security defaults in place are significantly less vulnerable to intrusions.

This month, Microsoft will send an email to all global admins of qualified Azure AD tenants informing them of security settings. These administrators will receive an Outlook notification from Microsoft in late June, instructing them to "activate security defaults" and warning of "security defaults will be enforced automatically for respective businesses in 14 days." All users in a tenant will be required to register for MFA using the Microsoft Authenticator app after it has been activated. A phone number is also required of global administrators.

Bridgestone USA Alleges to be Infiltrated by a LockBit Ransomware Cell


The LockBit ransomware gang claims to have infiltrated Bridgestone Americas' network and stolen data. It is an American subsidiary of Bridgestone Corporation, a Japanese tire, and automobile components manufacturer. It is a conglomerate of companies with more than 50 manufacturing locations and 55,000 people spread across America. If the corporation does not pay the ransom, Lock bit operators aim to reveal the private documents by March 15, 2022, 23:59. 

Bridgestone began an investigation into "a potential information security incident" on February 27, which was discovered in the morning hours of the same day. The incident remained unknown until recently when the LockBit ransomware gang claimed responsibility for the attack by adding Bridgestone Americas to its list of victims.

LockBit is one of the most active ransomware groups today, demanding significant sums of money in exchange for stolen data. According to a Kaspersky investigation, the ransomware gang utilizes LockBit, a self-spreading malware that uses tools like Windows Powershell and Server Message Block to proliferate throughout an enterprise. 

As per Dragos' study, the transportation and food and beverage industries were the second and third most targeted industries, respectively. LockBit is currently threatening Bridgestone with the release of their data.

The examination by the tire company indicated the attacker followed a "pattern of behavior" which is usual in ransomware assaults. Bridgestone went on to say the attacker had taken information from a small number of its systems and had threatened to make the stolen data public.

In a statement, the company said they are "committed to conducting a rapid and definitive inquiry to identify as swiftly as possible what precise data was obtained" from their environment. "The security of our teammates, customers, and partners' information is extremely important to Bridgestone."

Despite the fact that the LockBit ransomware gang has primarily targeted the industrial and manufacturing sectors, ransomware like the one utilized by the gang can still infect your PC.

To prevent ransomware criminals from getting into users' accounts, Kaspersky recommends using strong passwords and enabling multi-factor authentication. The antivirus firm also advised having system-wide backups in case data was lost due to malware infection. Additionally, keeping your system configurations up to date and following all security measures will help you avoid being a ransomware victim, saving you a lot of time and aggravation.

Threat actors are Looking for Ways to Bypass MFA with Evolving Phishing Kits


People have been concerned about information security since the first password was included in the Compatible Time-Sharing System at MIT in 1961. While multi-factor authentication (MFA) did not arrive on the scene until years later, in 1986, with the first RSA tokens, it has recently achieved broad consumer acceptance. According to the annual State of the Auth Report from MFA digital authenticator firm Duo, 78% of respondents have used two/multi-factor authentication (2FA/MFA) in 2021, up from 28% in 2017.   

While several organisations, including Duo and RSA, have contributed to making MFA more widespread and user-friendly, threat actors have not been sitting on their laurels, preferring to attack MFA as well as seeking for ways to circumvent MFA with changing phishing kits. 

 Phishing kits are software created to assist threat actors acquire credentials and swiftly capitalise on them. Many of these kits, which are either installed on a dedicated server owned by the threat actor or secretly put on a hacked server owned by an unlucky user, may be purchased for less than a cup of coffee. 

Proofpoint threat researchers have seen a wide range of MFA phishing kits, from simple open-source kits with human-readable code and no-frills functionality to sophisticated kits with multiple layers of obfuscation and built-in modules that allow for the theft of usernames, passwords, MFA tokens, social security numbers, and credit card numbers. These kits, at their heart, use the same mechanisms for credential harvesting as conventional kits that steal only usernames and passwords. 

 Proofpoint researchers have witnessed the introduction of a new sort of kit in recent years that does not rely on duplicating a target website. Instead, these kits use a transparent reverse proxy to provide the victim with the actual website. A reverse proxy is a computer network application that sits in front of back-end applications and forwards client (e.g., browser) requests to those apps. Scalability, performance, resilience, and security are all improved by using reverse proxies. 

 Modern web pages are dynamic and constantly change. As a result, providing the actual site rather than a copy considerably improves the perception that an individual is logging in safely. Another advantage of using a reverse proxy is that it allows a threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords, but also the session cookie in real-time.

 In a recent publication, researchers from Stony Brook University and Palo Alto Networks investigated MitM phishing kits and uncovered an industry blind spot. The researchers created Phoca, a machine learning tool, to scan suspected phishing pages and identify if they were utilising a transparent reverse proxy to access MitM credentials. They discovered over 1200 MitM phishing sites.

Attackers use Azure AD to Enroll Outlook on BYOD and then Send Phishing Emails


Microsoft has issued a warning about a new multi-stage phishing campaign that first enlists an attacker's BYOD device on a corporate network before sending thousands of convincing phishing emails to other targets. Bring your own device (BYOD) refers to the practice of employees connecting to their corporate networks using personal devices to access work-related systems and possibly sensitive or confidential data. Smartphones, personal computers, tablets, and USB drives are examples of personal devices. 

According to Microsoft, the goal of enrolling or registering a device on a target company's network was to evade detection during subsequent phishing assaults. According to Microsoft, "most" firms that had activated multi-factor authentication (MFA) for Office 365 were not affected by phishing emails transmitted via attacker-controlled registered devices, but all organizations that had not implemented MFA were affected. 

The attack took advantage of situations in which MFA was not enforced while registering a new device with a company's instance of Microsoft's identity service, Azure Active Directory (Azure AD), or enrolling a BYOD device in mobile device management (MDM) platform such as Microsoft's Intune. 

"While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack's propagation heavily relied on a lack of MFA protocols," Microsoft said. "Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain," it added. 

According to Microsoft, the first wave of the attack targeted firms in Australia, Singapore, Indonesia, and Thailand. The first stage used a DocuSign-branded phishing email that asked the recipient to review and sign the document. It made use of phishing domains with the .xyz top-level domain (TLD). The phishing link in each email was also unique and included the target's name in the URL. Victims were routed to a bogus Office 365 login page by the phishing link. 

In the second phase, the attackers installed Microsoft's Outlook email client on their own Windows 10 PC, which was then successfully connected to the victim's Azure AD. All the attackers had to do was accept Outlook's onboarding experience, which encourages the user to register a device. In this situation, the attackers were using credentials obtained in phase one. 

Certain practices, according to Microsoft researchers, can limit an attacker's ability to move laterally and compromise assets after the initial intrusion and should be supplemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components. Organizations can further limit their attack surface by removing basic authentication, mandating multi-factor authentication when adding devices to Azure AD, and enabling multi-factor authentication for all users.

A Breach on Multi-Factor Authentication Leads to a Box Account Takeover


According to new research from Varonis, a vulnerability in Box's implementation of multi-factor authentication (MFA) allows attackers to take over accounts without having access to the victim's phone. Because of the flaw, which was patched in November 2021, an attacker just needed stolen credentials to get access to a company's Box account and steal sensitive information if SMS-based MFA was activated. Users without Single Sign-On (SSO) can further secure their accounts using an authenticator app or SMS for second-factor authentication, according to Box, which says that close to 100,000 firms utilize its platform.

How Does SMS Verification Work in Box?

After providing a username and password in Box's login form, the user is redirected to one of two pages:
  • If the user is enrolled with an authenticator app, a form to enter a time-based one-time password (OTP).
  • If the user has opted to receive a passcode via SMS, a form to enter an SMS code will appear. 
  • A code is delivered to the user's phone when they go to the SMS verification form. To gain access to their account, they must enter this code. 

When a user attempts to log into a Box account, the platform saves a session cookie and leads to a page where they must enter a time-based one-time password (TOTP) from an authenticator app (at /mfa/verification) or an SMS code (at /2fa/verification). When a user adds an authenticator app to their account, Box provides them a factor ID and the user must enter a one-time password issued by the app in addition to the credentials when logging in. 

Researchers from Varonis revealed that an attacker might circumvent MFA for accounts that had SMS-based MFA enabled by abandoning the SMS-based verification procedure instead of commencing TOTP-based MFA. By combining the MFA modalities, the attacker might gain access to the victim's account by giving a factor ID and code from a Box account and authenticator app that the attacker controls.

The entire talk about required MFA from firms like Salesforce and Google, as well as a White House executive order, is to emphasize that MFA implementations, like any other programming, are prone to flaws. MFA can give the impression of security. Because MFA is enabled, an attacker does not necessarily need physical access to a victim's device to compromise their account.

Android Banking Malware Spreads Using a Bogus Google Play Store Website


An Android banking trojan aimed at Itaú Unibanco has used an unusual technique to spread to devices, the actors created a page that looks remarkably similar to Android's official Google Play app store in order to deceive visitors into thinking they are installing the software from a reliable service. The Trojan poses as Itaú Unibanco's official banking app and uses the same icon as the legitimate app. 

Banco Itaú Unibanco S.A. is a Brazilian financial services firm based in São Paulo. Founded in 2008 by the merging of Banco Itaú and Unibanco, Itaú Unibanco is the largest bank in Brazil, as well as the largest in Latin America and the Southern Hemisphere, and the world's 71st largest bank. It is also one of the world's twenty most valuable banks. It has approximately 33,000 service sites worldwide, 3,527 of which are in Brazil, as well as around 28,000 ATMs and 55 million customers. 

When the user clicks on the "Install" button, they are prompted to download the APK, which is the first indication of fraud. Google Play Store apps are always installed through the store interface, never requiring the user to manually download and install programmes. Cyble researchers examined the malware and discovered that when it is executed, it attempts to launch the genuine Itaú app from the Google Play Store. If that is successful, it will utilize the actual app to carry out fraudulent transactions by modifying the user's input fields.

During installation, the software does not request any unsafe permissions, preventing suspicious or risky detection from AV tools. Instead, it intends to use the Accessibility Service, which is all that mobile malware requires to overcome all security on Android systems. According to a recent research by Security Research Labs, "we are currently dealing with an Android malware Accessibility abuse epidemic, and Google has failed to patch the targeted flaw." As a result, only the user has the ability to detect indicators of abuse and stop the infection before it has a chance to cause harm to the device. 

According to the researchers, if you want to enjoy the ease of mobile e-banking, download the app from the bank's official website or the Google Play Store. Furthermore, apply app updates as soon as they become available, and utilize an AV tool from a reliable vendor. Use a strong password and enable multi-factor authentication on the app to ensure optimal account security.

Proofpoint Phish Harvests Credentials from Microsoft Office 365 and Google Email


Phishers are posing as Proofpoint, a cybersecurity company, in order to steal victims' Microsoft Office 365 and Google email credentials. According to Armorblox analysts, one such effort was launched against an undisclosed global communications business, with roughly a thousand personnel targeted solely within that company. 

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.” 

A file apparently related to mortgage payments was the email's bait. The subject line, "Re: Payoff Request," was designed to trick targets into thinking it was part of an ongoing conversation, offering validity to the proceedings while also adding urgency. Users were led to a splash page with Proofpoint branding and login spoofs if they clicked on the "secure" email link embedded in the message. 

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Researchers discovered another phishing campaign that appears to be abusing an Amazon service called Amazon Simple Email Service (SES), which allows developers to send email messages from their apps. According to Kaspersky, the campaign was based on a now-revoked stolen SES token used by a third-party contractor during the testing of the website The website is a Kaspersky initiative that includes an interactive map depicting the future impact of technology on the Earth, as predicted by futurologists. Because the site is housed on Amazon's infrastructure, the stolen SES token is linked to Kaspersky and SES. is one of the sender addresses used in these emails. The security alert cautioned that they come from a variety of sources, including Amazon Web Services infrastructure. The stolen SES token was only utilized in a restricted way, according to the company, as part of a larger campaign that targeted many brands. 

Social engineering, brand impersonation, and the utilization of genuine infrastructure are used in attacks like these to get through typical email security filters and consumers' eye checks. Armorblox made the following suggestions to protect against similar campaigns: 

 • Be wary of social engineering: Before opening an email, users should perform a visual inspection that involves looking at the sender's name, email address, language, and any logical flaws. 

 • Improve password hygiene: Implement multi-factor authentication (MFA) on all potential corporate and personal accounts, avoid the usage of the same password across several sites/accounts, and avoid passwords that are linked to publicly available data.

Thousands of Coinbase Clients were Robbed due to an MFA Flaw


After exploiting a vulnerability in Coinbase's SMS multi-factor authentication security mechanism, a threat actor stole cryptocurrency from 6,000 customers, according to the firm. A threat actor executed a hacking campaign between March and May 20th, 2021 to penetrate Coinbase customer accounts and steal cryptocurrency, according to a warning given to impacted consumers this week. 

The hackers apparently required to know the user's email address, password, and phone number, as well as have access to their email accounts, according to the US-based exchange, which has roughly 68 million customers from over 100 countries. It's unclear how the hackers got their hands on that information. 

"In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase's SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account," Coinbase told customers in electronic notifications. 

Customers' personal information was exposed as well, according to the report, "including their complete name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances."

According to Coinbase, a flaw in their SMS account recovery process allowed hackers to acquire access to the SMS two-factor authentication token required to access a secured account. Coinbase claims to have updated the "SMS Account Recovery protocols" after learning of the incident, preventing any further bypassing of SMS multi-factor authentication. 

Because the Coinbase bug allowed threat actors to gain access to accounts that were thought to be secure, the exchange is depositing funds in affected accounts equal to the stolen amount. 

"We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost," promised Coinbase. It's unclear whether Coinbase will credit hacked users with the stolen cryptocurrency or fiat currency. If fiat currency is used, it may result in a taxable event for the victims if their profits increase. 

Coinbase recommends implementing multi-factor authentication (MFA) with security keys, Time-based One-Time Passwords (TOTP) with an authenticator app, or SMS text messages as a last resort in their account security guide.

Kerberos Authentication Spoofing: A Quick Look


Since authentication is the first line of defence for security systems, if a threat actor gets past it, they can very much do whatever they want. Threat actors can log in as administrators and change configurations, get access to protected resources, and take control of appliances in order to steal sensitive data. 

Silverfort discovered that all four security systems they examined – Cisco ASA, F5 Big-IP, IBM QRadar, and Palo Alto Networks PAN-OS – were vulnerable to bypass vulnerabilities due to the way they implemented the Kerberos and LDAP authentication protocols. 

Kerberos was first introduced by Microsoft in Windows 2000. It's also become the industry standard for websites and Single-Sign-On implementations on a variety of platforms. Kerberos is an open-source project maintained by the Kerberos Consortium. Microsoft Windows presently uses Kerberos authentication as its default authorization method, and Kerberos implementations are available for Apple OS, FreeBSD, UNIX, and Linux. 

The Kerberos authentication protocol works in the following ways:

 • The client asks the Key Distribution Center (KDC) for an authentication ticket (TGT). 

 • The KDC checks the credentials and returns an encrypted TGT as well as the session key.

 • The Ticket Granting Service (TGS) secret key is used to encrypt the TGT. 

 • When the TGT expires, the client keeps it, and the local session manager requests another TGT (this process is transparent to the user).

Kerberos can be configured without Kerberos' SSO capabilities in the four security systems aforementioned. Instead, when logging in, the user is asked for a username and password, and the system then asks for the TGT. To put it another way, the security system acts as both a client and a server. A KDC spoofing vulnerability might occur if the Client/Server exchange is overlooked. 

The KDC Spoofing vulnerability allows an attacker to overcome Kerberos authentication, break security restrictions, and obtain unrestricted access to sensitive workloads using Big-IP Access Policy Manager (APM). In a report, Silverfort security researchers Yaron Kassner and Rotem Zach discussed it. 

F5 Networks released BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3, which included a security patch for this vulnerability (CVE-2021-23008, CVSS score 8.1). Multi-factor authentication (MFA) or an IPSec tunnel between the impacted BIG-IP APM system and the Active Directory servers, was suggested by the company. 

Virtual Wallet Users are Being Scammed


People are carrying less cash as technology advances, preferring to use debit cards, credit cards, and smartphone payment apps instead. Although using virtual wallets like Venmo, PayPal, and Cash App is easy and becoming more common, there is a risk of being scammed by someone who does not appear to be who they claim to be. Virtual wallets are applications that you can download on your Android or iPhone to make it simple to send and receive money from friends, relatives, and other people. To move money, these apps are connected to a bank account. 

Scammers are always on the lookout for their next victim, and these apps provide them with an ideal opportunity to defraud people of their hard-earned money. Fraudsters have devised a number of strategies for intercepting payments or convincing app users to pay them directly. 

Last year, the Better Business Bureau reported on a new scheme in which con artists send messages requesting the return of unintended payments after making deposits into their victims' accounts. 

When the victim checks their account and discovers these transfers, which were made with stolen credit cards, they refund the funds, by which point the scammer has replaced the stolen credit card credentials with their own. The money is then sent to the fraudster, and the victim is held responsible until the owner of the stolen card files restitution claims. 

In contrast to Cash App and Venmo, PayPal is the oldest form of virtual wallet. In a PayPal scam, the scammer asks a seller to send the things he or she "bought" to a particular address. They discover that the address is invalid after the scammer "pays" for the item and the seller sends the package, but it's too late. 

If the shipping company is unable to locate the address, the item will be marked as undeliverable. The scammer would then contact the shipping company and provide a new address in order to accept the package while claiming they did not receive it. 

The scammer would then collect the item and file a complaint with PayPal claiming that the item was never delivered. PayPal will refund the money charged to the scammer because the buyer has no evidence that the item was shipped. As a result, the seller loses both money and goods to the con artist. 

App developers should take action to protect their users from these types of scams. Multifactor authentication and secondary confirmation, such as emailed security codes, are examples of these safeguards. According to Microsoft research, multifactor authentication will prevent 99.9% of fraud attempts involving compromised login credentials.

GitHub Announced Security Key Support for SSH Git Operations


When using Git over SSH, GitHub, the ubiquitous host for software creation and version control (and unfortunate victim of a relentless stream of attacks targeting the same), now supports encryption keys.

GitHub security engineer Kevin Jones said in a blog post on Monday that this is the next step in improving security and usability. These portable FIDO2 fobs are used for SSH authentication to protect Git operations and avoid the havoc that can occur when private keys are misplaced or stolen, or when malware attempts to execute requests without user permission. For instance, in 2019, the TrickBot data-stealing malware was updated to include a password grabber that could attack data from OpenSSH applications. 

These security keys, which include the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are easy to carry around in your pocket and attach to computers via USB, NFC, or Bluetooth. They can be used instead of one-time passwords generated by apps or sent via SMS. SMS SSH codes sent via text can currently be intercepted.

Strong passwords are still relevant, but because of the proliferation of data breaches and cyberattacks, they are becoming less useful as a single security mechanism, prompting the development of password managers that often check for credential leakage online, biometrics, and security keys. 

"We recognize that passwords are convenient, but they are a consistent source of account security challenges," Jones commented. "We believe passwords represent the present and past, but not the future. By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain." 

Since keys are one of the variables in multi-factor authentication (MFA), users can treat them with the same care as any other credential. You should have your security key plugged in if you're the only one that has access to it. “When using SSH with a security key, none of the sensitive information ever leaves the physical security key device,” Jones added. “If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times.” 

When you use a security key, neither ransomware nor unintended private-key leakage will reveal your keys, he said: “As long as you retain access to the security key, you can be confident that it can’t be used by anyone else for any other purpose.”

Phishing Attacks Can Now Dodge Microsoft 365's Multi-Factor Authentication

Of late a phishing attack was found to be stealing confidential user data that was stored on the cloud.
As per sources, this is the work of a new phishing campaign that dodges the Office 365 Multi-Factor Authentication (MFA) to acquire the target’s cloud-stored data and uses it as bait to extract a ransom in Bitcoin.

Per reports, researchers discovered that the campaign influences the “OAuth2 framework and OpenID Connect (OIDC) protocol”. It employs a malicious “SharePoint” link to fool the targets into giving permission to “rogue” applications.

MFAs are used as a plan B in cases where the users’ passwords have been discovered. This phishing attack is different because it tries to fool its targets into helping the mal-actors dodge the MFA by giving permissions.

This campaign is not just about gaining ransoms via exploiting the stolen data it is that and the additional threat of having sensitive and personal information at large for others to exploit as well. Extortion and blackmail are among the first things that the data could be misused for.

Sources mentioned that via obtaining basic emails and information from the target’s device, the attacker could easily design “hyper-realistic Reply-Chain phishing emails.”

The phishing campaign employs a commonplace invite for a SharePoint file, which happens to be providing information regarding a “salary bonus”, which is good enough for perfunctory readers to get trapped, mention reports.

The link when clicked on redirects the target to an authentic login page of Microsoft Office 365. But if looked on closely, the URL looks fishy and created without much attention to detail, thus say the security experts.

Reportedly, access to Office 365 is acquired by getting a token from the Microsoft Identity Platform and then through Microsoft Graph authorizations. OIDC is used to check on the user granting the access if authentication comes through then the OAuth2 grants access for the application. During the process, the credentials aren’t revealed to the application.

The URL contains “key parameters” that explain how targets could be tricked into granting permissions to rogue applications on their account. Key parameters signify the kind of access that is being demanded by the Microsoft Identity Platform. In the above-mentioned attack, the request included the ID token and authentication code, mentioned sources.

If the target signs in on the SharePoint link that was delivered via the email they’ll be providing the above-mentioned permissions. If the target doesn’t do so, it will be the job of the domain administrators to handle any dubious activities.

This phishing campaign is just an example of how these attack mechanisms have evolved over the years, to such an extent that they could now try to extort sensitive data out of people seemingly by tricking them into providing permissions without an inkling of an idea of what is actually up.

Multi-factor authentication bypassed to hack Office 365 & G Suite Cloud accounts

Massive IMAP-based password-spraying attacks successfully breached Microsoft Office 365 and G Suite accounts, circumventing multi-factor authentication (MFA) according to an analysis by Proofpoint.

As noted by Proofpoint's Information Protection Research Team in a recent report, during a "recent six-month study of major cloud service tenants, Proofpoint researchers observed attackers are targeting legacy protocols with stolen credential dumps to increase the speed and efficiency of the brute force attacks.

Based on Proofpoint study, IMAP is the most abused protocol, IMAP is the protocol that bypasses MFA and lock-out options for failed logins.

This technique takes advantage of the fact that the legacy authentication IMAP protocol bypasses MFA, allowing malicious actors to perform credential stuffing attacks against assets that would have been otherwise protected.

These intelligent new brute force attacks bring a new approach to the traditional normal brute force attack that uses the combination of usernames and passwords.

Based on the Proofpoint analysis of over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that:

▬ 72% of tenants were targeted at least once by threat actors
▬ 40% of tenants had at least one compromised account in their environment
▬ Over 2% of active user-accounts were targeted by malicious actors
▬ 15 out of every 10,000 active user-accounts were successfully breached by attackers

Their analysis unearthed the fact that around 60% of all Microsoft Office 365 and G Suite tenants have been targeted using IMAP-based password-spraying attacks and, as a direct result, approximately 25% of G Suite and Office 365 tenants that were attacked also experienced a successful breach.

On the whole, after crunching down the numbers, Proofpoint reached the conclusion that threat actors managed to reach a surprising 44% success rate when it came to breaching accounts at targeted organizations.

The ultimate aim of the attackers is to launch internal phishing and to have a strong foothold within the organization. Internal phishing attempts are hard to detect when compared to the external ones.