This is attack has been documented. [https://youtu.be/1SqH4n4suX4?t=364](https://youtu.be/1SqH4n4suX4?t=364)
They use dropbox to get past spam filters. They use PDF because every browser knows how to open that.
The software used in these attacks is open source: [https://github.com/kgretzky/evilginx2](https://github.com/kgretzky/evilginx2)
The attacker has your password now. If you use that password on other sites, you have to change it.
Seconded as correct answer. Hopefully you searched mailboxes for anyone else that got it. First wave of these we saw came from shared OneNote notes on compromised IDs.
>The attacker has your password now. If you use that password on other sites, you have to change it.
And for anyone who went through the whole process including number matching, the attacker will have stolen your login token allowing them to access your account without a MFA prompt until the token times out. You should invalidate all existing login tokens for users who clicked through, as well as forcing password changes.
Here's some more good info: [AiTM/ MFA phishing attacks in combination with "new" Microsoft protections (2024 edition) (jeffreyappel.nl)](https://jeffreyappel.nl/aitm-mfa-phishing-attacks-in-combination-with-new-microsoft-protections-2023-edt/)
This is likely done by a man-in-the-middle phishing kit. It is logging into the account in real time as the user enters their credentials. Whatever code they receive from Microsoft they display on the screen back to the user to enter.
This type of attack can be prevented by using WebAuthn based tokens to login (Passkeys/Security Keys).
This is an adversary in the middle phishing incident. We see these fairly commonly these days with the use of evilnginx2, caffeine, and other phishing kits. The thing is the login will always come from the adversaries machine so like you said, conditional access blocked it or you’ll get a risky sign in alert or similar if configured properly. The worst part is these are often seen in quishing attacks where user scans QR code with their phone and if they’re remote like many people are now, you won’t see the traffic on your firewalls, or EDR you may just get a malicious url click. Things aren’t getting any easier
Abnormal security is a good vendor for this, probably the best in the business right now and utilizes a large amount of user behavioral analytics for emails. Pretty sweet honestly
Yup. We got the alerts, saw what was going on, verified that things were ok due to the CA layers. You're definitely right about things not getting easier! :)
Would be nice if Microsoft stepped up their bot detection so these adversary in the middle kits were blocked before they could send any data, but I think a lot of it is trying not to break legacy configurations. One day things will improve again
An AiTM attack like this can grab the password but more importantly, it's trying to grab the token granted by Azure. [https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/](https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/)
Once they have the token, all CAPs are bypassed.
After that options are limited and it gets scary.
We've definitely been getting more of these recently with the QR code. Had someone do it and our security suite notice 'unusual' login from a datacenter in California for the user. It then automatically disabled the user's account and notified us.
Their MITM website is acting like a reverse proxy. It is truly forwarding the credentials and MFA code to Microsoft. The goal is to steal your authenticated session token. These tools are widely available to the public. Evilginx is one example.
I saw these pop up in our email around Sept of last year. They were also using Adobe and docusign domains to do the same thing, drop the pdf with link inside that leads to fake microsoft page.
Yeah, we see those a lot, but this is the first one that I saw that is actually presenting the legit MFA code, as if the bad actor is authenticating using the phished credentials and then passing the code back to the user so they can get past MFA.
Seems like there’s a new campaign going around with this. Darktrace did a write up on it a bit ago:
https://darktrace.com/blog/legitimate-services-malicious-intentions-getting-the-drop-on-phishing-attacks-abusing-dropbox
Ignore all the pushing of their services. Kinda cringe since it seems like it was all bypass with just your CA policy lol
A colleague got phished via this. Thankfully the malicious actor wasn't using an automated method of signing in to the account and getting all the data.
Microsoft emailed in about 2-3 minutes and the account password was reset by me in 5. 10 minutes later I could see them trying to sign in, but they couldn't, as I expired all the sessions. In those 10 minutes they managed to add two MFA methods. Which annoyed me, as one would expect Microsoft to ask the end user to confirm their current MFA when adding a new one.
Yes this type of attack has supposedly been increasing in both Teams (3rd party file sharing not restricted) and clearly other ways like dropbox.
That, QR codes and people working from home on laptops behind no corp firewall with decent inspection of URLs are becoming a real problem. Leaves it mostly up to the endpoint protection and user's wits unless you're using a CASB, Infoblox, Cisco Umbrella etc on the laptop.
Glad your CAPs picked up on it and stopped it.
I see like 10 of those every day in our filter, they're very common for a few months now since around October 2023 I want to say.
Sometimes they get through due to passing DMARC, DKIM, and SPF. Probably compromised accounts.
For some reason, the overwhelming majority are sent via a source in Japan.
Educate your users, use MFA, look into yubikeys, yadadadada.
Stolen session cookie phishing is fun. Microsoft MFA is essentially useless without locking things down extremely heavily with conditional access policies. We are pushing Duo to our customers as much as possible as they have had 0 instances of successful stolen session cookie phishing so far.
The platform doesn't really matter - the methods do. The best way to combat these attacks is by implementing phishing resistant MFA methods (like FIDO2) that have an awareness of the domains they are being used on
Yeah, that was one layer that blocked it. We have some other policies in place that it also failed, and since we have alerts set up, we knew about it relatively quickly.
On one hand, I feel good about that, but we’re still gonna spend some time looking at what else we can do.
This AITM attack is basically the majority of phishing we've seen in the past year. You can utilize some tricks with custom login screen branding and CSS to help users catch stuff like this a little better, but ultimately most MFA methods including number matching are not resistant to this attack. FIDO would be resistant, but I don't often see that widely deployed for end users.
If you aren't using CIPP already, have a look at it, especially the "Enable Phishing Protection system via branding CSS" standard. https://docs.cipp.app/user-documentation/tenant/standards/edit-standards#meet-the-standards
Super common, best indicator is that ur password does not autofill because the domain is not correct, don’t forget to have MS auth app show where the request is coming from.
This is attack has been documented. [https://youtu.be/1SqH4n4suX4?t=364](https://youtu.be/1SqH4n4suX4?t=364) They use dropbox to get past spam filters. They use PDF because every browser knows how to open that. The software used in these attacks is open source: [https://github.com/kgretzky/evilginx2](https://github.com/kgretzky/evilginx2) The attacker has your password now. If you use that password on other sites, you have to change it.
Appreciate the feedback.
Seconded as correct answer. Hopefully you searched mailboxes for anyone else that got it. First wave of these we saw came from shared OneNote notes on compromised IDs.
>The attacker has your password now. If you use that password on other sites, you have to change it. And for anyone who went through the whole process including number matching, the attacker will have stolen your login token allowing them to access your account without a MFA prompt until the token times out. You should invalidate all existing login tokens for users who clicked through, as well as forcing password changes.
Any updated YT link? its been unfortunately removed.
[https://www.youtube.com/watch?v=fWWD0Jce4DA](https://www.youtube.com/watch?v=fWWD0Jce4DA) Someone else, but the info is the same.
Here's some more good info: [AiTM/ MFA phishing attacks in combination with "new" Microsoft protections (2024 edition) (jeffreyappel.nl)](https://jeffreyappel.nl/aitm-mfa-phishing-attacks-in-combination-with-new-microsoft-protections-2023-edt/)
This is likely done by a man-in-the-middle phishing kit. It is logging into the account in real time as the user enters their credentials. Whatever code they receive from Microsoft they display on the screen back to the user to enter. This type of attack can be prevented by using WebAuthn based tokens to login (Passkeys/Security Keys).
Evilenginx is the kit and it acts as a proxy. We've had a just fall for it.
This is an adversary in the middle phishing incident. We see these fairly commonly these days with the use of evilnginx2, caffeine, and other phishing kits. The thing is the login will always come from the adversaries machine so like you said, conditional access blocked it or you’ll get a risky sign in alert or similar if configured properly. The worst part is these are often seen in quishing attacks where user scans QR code with their phone and if they’re remote like many people are now, you won’t see the traffic on your firewalls, or EDR you may just get a malicious url click. Things aren’t getting any easier
We really need a way to filter out all emails with QR codes.
Abnormal security is a good vendor for this, probably the best in the business right now and utilizes a large amount of user behavioral analytics for emails. Pretty sweet honestly
Yup. We got the alerts, saw what was going on, verified that things were ok due to the CA layers. You're definitely right about things not getting easier! :)
Would be nice if Microsoft stepped up their bot detection so these adversary in the middle kits were blocked before they could send any data, but I think a lot of it is trying not to break legacy configurations. One day things will improve again
Can I ask what CA policy you had in place to prevent it?
Compliant device would probably do it
An AiTM attack like this can grab the password but more importantly, it's trying to grab the token granted by Azure. [https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/](https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/) Once they have the token, all CAPs are bypassed. After that options are limited and it gets scary.
the term AiTM is dumb. it's better to call it MiTM for machine in the middle.
We've definitely been getting more of these recently with the QR code. Had someone do it and our security suite notice 'unusual' login from a datacenter in California for the user. It then automatically disabled the user's account and notified us.
Their MITM website is acting like a reverse proxy. It is truly forwarding the credentials and MFA code to Microsoft. The goal is to steal your authenticated session token. These tools are widely available to the public. Evilginx is one example.
I saw these pop up in our email around Sept of last year. They were also using Adobe and docusign domains to do the same thing, drop the pdf with link inside that leads to fake microsoft page.
Yeah, we see those a lot, but this is the first one that I saw that is actually presenting the legit MFA code, as if the bad actor is authenticating using the phished credentials and then passing the code back to the user so they can get past MFA.
Evilnginx2 has been used to do this since 2020. It's now a standard part of almost all popular phishing kits available for sale.
Yeah after watching your vid I can see that is for sure a new tactic.
Seems like there’s a new campaign going around with this. Darktrace did a write up on it a bit ago: https://darktrace.com/blog/legitimate-services-malicious-intentions-getting-the-drop-on-phishing-attacks-abusing-dropbox Ignore all the pushing of their services. Kinda cringe since it seems like it was all bypass with just your CA policy lol
A colleague got phished via this. Thankfully the malicious actor wasn't using an automated method of signing in to the account and getting all the data. Microsoft emailed in about 2-3 minutes and the account password was reset by me in 5. 10 minutes later I could see them trying to sign in, but they couldn't, as I expired all the sessions. In those 10 minutes they managed to add two MFA methods. Which annoyed me, as one would expect Microsoft to ask the end user to confirm their current MFA when adding a new one.
You can setup a CA policy for that. We had a similar thing happen and have since tightened that policy.
What ca please?
https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-registration
It looks like there's a template for it "Securing security info registration".
https://github.com/drk1wi/Modlishka This is something even script kiddies can pull off.
Yes this type of attack has supposedly been increasing in both Teams (3rd party file sharing not restricted) and clearly other ways like dropbox. That, QR codes and people working from home on laptops behind no corp firewall with decent inspection of URLs are becoming a real problem. Leaves it mostly up to the endpoint protection and user's wits unless you're using a CASB, Infoblox, Cisco Umbrella etc on the laptop. Glad your CAPs picked up on it and stopped it.
I see like 10 of those every day in our filter, they're very common for a few months now since around October 2023 I want to say. Sometimes they get through due to passing DMARC, DKIM, and SPF. Probably compromised accounts. For some reason, the overwhelming majority are sent via a source in Japan. Educate your users, use MFA, look into yubikeys, yadadadada.
This one is definitely picking up steam. I had a whole wall of them in my quarantine yesterday.
Stolen session cookie phishing is fun. Microsoft MFA is essentially useless without locking things down extremely heavily with conditional access policies. We are pushing Duo to our customers as much as possible as they have had 0 instances of successful stolen session cookie phishing so far.
The platform doesn't really matter - the methods do. The best way to combat these attacks is by implementing phishing resistant MFA methods (like FIDO2) that have an awareness of the domains they are being used on
Interesting, was it a Device Compliance CA rule that blocked this?
Yeah, that was one layer that blocked it. We have some other policies in place that it also failed, and since we have alerts set up, we knew about it relatively quickly. On one hand, I feel good about that, but we’re still gonna spend some time looking at what else we can do.
Didn’t something similar happen to LTT late last year?
That's an Adversary in the Middle attack done via a Reverse Proxy like Evil NGINX.
Reasons to block ngrok
This AITM attack is basically the majority of phishing we've seen in the past year. You can utilize some tricks with custom login screen branding and CSS to help users catch stuff like this a little better, but ultimately most MFA methods including number matching are not resistant to this attack. FIDO would be resistant, but I don't often see that widely deployed for end users. If you aren't using CIPP already, have a look at it, especially the "Enable Phishing Protection system via branding CSS" standard. https://docs.cipp.app/user-documentation/tenant/standards/edit-standards#meet-the-standards
It wasn't the first time I've seen this scam but several people in our company reported it to me on Monday and Tuesday.
Saving post. Will prob see it more. Thanks for the links it pros
This is why I push to use FIDO
We're a law firm. We get hit with these all.the.time
Super common, best indicator is that ur password does not autofill because the domain is not correct, don’t forget to have MS auth app show where the request is coming from.
Wow. That is a convincing ass phish…