Huge phishing campaign evades MFA, leads to business email fraud: Microsoft

A large phishing campaign is focusing on organizations using Microsoft Office 365, tricking victims into logging into a spoofed Office online authentication page to steal their credentials and ultimately conduct business email compromise (BEC) scams.

The warning comes from Microsoft, which says the heart of the attack are what it calls adversary-in-the-middle (AiTM) phishing sites. These are impersonated websites that deploy a proxy server between a target user and the website the user wants to visit.

As a result the attacker can steal and intercept the victim’s password and the session cookie that proves their ongoing and authenticated session with the website, even if the victim has to use multifactor authentication (MFA) to log in.

“Note that this is not a vulnerability in MFA,” says Microsoft. “Since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.”

This attack strategy can be blunted, the report says, by antiphishing solutions and antivirus solutions that detect session cookie theft and attempts to use the stolen cookie to sign into Exchange Online. it can also be defeated by complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others.

Defenders also should continuously monitor for suspicious or anomalous activities, such as sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services), and unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.

One common way victims are tricked is they click on a link in a message that purports to be a voice message for them. A fake download progress bar, hardcoded into the HTML file, fools the victim into thinking an audio file is being downloaded. Instead they are redirected to what appears to be a Microsoft page and asked to log in. The victim’s email address or username, captured during this action, is automatically filled in the form, adding credibility to the scam.

The phishing site could also proxy the organization’s Azure Active Directory (Azure AD) sign-in page, which is typically If that had been configured to include the organization’s branding, the phishing site’s landing page also could also copy that, again adding credibility.

When the victim enters their credentials and is authenticated, they are redirected to the legitimate page. However, in the background the attacker intercepts the credentials, is authenticated first and gets into the victim’s email.

Diagram with icons illustrates a phishing site, which is connected to a malicious proxy server, in between a user and the target website the user is trying to access. Texts and arrows describe the process of how the AiTM phishing website intercepts the authentication process.

(How AiTM phishing works. Graphic from Microsoft)

After that, the attacker begins business email compromise (BEC) scams, aided by accessing finance-related emails and file attachments, including ongoing email threads involving payments. Ultimately the attacker tries to trick a target into transferring payments to attacker-owned accounts. One way is by impersonating an employee, replying to ongoing finance-related email threads, and luring the fraud target to send money through fake invoices, Microsoft says.

To protect against detection, the attacker deletes the original phishing email they sent from the compromised account’s Inbox folder. Another defensive tactic by the attacker is to create an email rule along the lines of “For every incoming email where sender address contains [domain name of the fraud target], move the mail to “Archive” folder and mark it as read.”

In one attack, Microsoft says, the threat actor ran multiple fraud attempts simultaneously from the same compromised mailbox.

The report is another example of why ongoing security awareness training is vital in every organization.

While AiTM phishing attempts to circumvent MFA, Microsoft emphasizes that MFA is “an essential pillar in identity security.” Multifactor authentication is still very effective at stopping a wide variety of threats, the report says. In fact, it adds, the effectiveness of MFA is why AiTM phishing has emerged.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now