blog.sygnia.co
Open in
urlscan Pro
2606:2c40::c73c:671d
Public Scan
Submitted URL: https://www.sygnia.co/resources/recent-waves-of-phishing-attacks-overpowering-2fa-authentication
Effective URL: https://blog.sygnia.co/recent-waves-of-phishing-attacks-overpowering-2fa-authentication?hsLang=en
Submission: On March 29 via manual from CH — Scanned from DE
Effective URL: https://blog.sygnia.co/recent-waves-of-phishing-attacks-overpowering-2fa-authentication?hsLang=en
Submission: On March 29 via manual from CH — Scanned from DE
Form analysis 2 forms found in the DOM
/hs-search-results
<form action="/hs-search-results">
<input type="text" class="hs-search-field__input search-input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="LANDING_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
<input type="hidden" name="type" value="KNOWLEDGE_ARTICLE">
<button aria-label="Search" class="search-button"><i class="fas fa-search" aria-hidden="true"></i></button>
</form>/hs-search-results
<form action="/hs-search-results">
<input type="text" class="hs-search-field__input search-input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="LANDING_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
<input type="hidden" name="type" value="KNOWLEDGE_ARTICLE">
<button aria-label="Search" class="search-button"><i class="fas fa-search" aria-hidden="true"></i></button>
<span class="search-overlay-close" aria-label="Close"><i class="fas fa-times" aria-hidden="true"></i></span>
</form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again. Accept Decline Skip to content * Proactive Defense * Adversarial Security * Threat Response * Resources * Careers * About * Contact Us * Proactive Defense * Adversarial Security * Threat Response * Resources * Careers * About * Contact Us Back to Resources RECENT WAVES OF PHISHING ATTACKS OVERPOWERING 2-FACTOR AUTHENTICATION November 1, 2021 * Real-Time Authentication Phishing Kits implement a Man-in-the-Middle attack technique, allowing threat actors to obtain a live Office365 user session. * Conditional Access rules applied to the Office365 tenant are a powerful and effective tool to mitigate this risk by only allowing trusted devices to connect. * Sygnia’s recommendation is to proactively hunt for unauthorized access to Office365 accounts and any anomalous activities to detect breaches in your tenant. WHY TWO-FACTOR AUTHENTICATION IS NO LONGER ENOUGH Phishing campaigns have always been, and still are a leading attack vector for threat actors around the world. On top of that, with the new work-from-home model, phishing attacks have evolved in prevalence and sophistication. These attacks rely on human error and are used in campaigns to achieve a wide range of objectives, from credential theft to infiltration and mass infection of a target network. Generally, implementing Two-Factor Authentication (2FA) is an adequate method for enhancing user security, and over the past two years has become common practice across organizations as part of the growing awareness of cyber threats. However, as security advances, so does the threat landscape, and attackers have been using tools that allow them to overcome standard 2FA solutions. Real-Time Authentication Phishing Kits implement a Man-in-the-Middle attack technique allowing threat actors to obtain a live user session when their target attempts to access a resource. While Real-Time Authentication Phishing Kits are not a new attack tool, their popularity and variations have increased, in part due to the growth in 2FA implementation. A RISE IN NUMBER OF CAMPAIGNS USING PHISHING KITS Over the past months, Sygnia has observed an increase in the number of phishing campaigns that utilize a Man-in-the-Middle technique to overcome 2FA. A recent and still active campaign, traced back to at least May2021, has compromised hundreds if not thousands of organizations. This campaign spreads phishing e-mails to unsuspecting users with a PDF attachment disguised as a request from DocuSign. When users open the PDF attachment, they are redirected to a phishing landing site, where they are prompted to login using their Office365 account. As the session is proxied through the threat actor server, once the user inputs their account name, password and 2FA code, the threat actor can initiate a live session, impersonating the victim and accessing any resource available to the account (Mailbox, SharePoint, etc.). Using this method, threat actor scan easily extract sensitive data and information from the account or attempt to commit financial fraud by transfer of funds to an external account. Figure 1: Phishing PDF Sample. WHAT CAN BE DONE? With migration to the cloud, organizations must implement additional security measures to protect theirOffice365 accounts. Office365 allows implementation of their Conditional Access tool on AzureAD accounts, enforcing various rules and conditions for resource access requests. Through the implementation of Conditional Access, authorization can be managed based not only on credentials, but on multiple criteria such as IP addresses, specific devices, and more, thus achieving an additional layer of security. Just as firewall rules allow or block traffic based on predetermined rules, Conditional Access enhances Office365 security. Sygnia urges organizations to implement Conditional Access as part of their Office365 security architecture and manage the devices and locations from which resources are accessible. Any segment of an organization’s architecture that is not inspected and controlled leaves room for threat actor abuse. RECOMMENDATIONS & ACTION ITEMS Configure Conditional Access rules to enhance the Office365 tenant security * Allow access to Office365 resources only from trusted devices and IP addresses * Configure rules tailored for the different resources in the tenant Proactively Hunt for: * Unauthorized access to Office365 accounts specifically “Impossible Travel” cases * Suspicious emails received from spoofed sources * Emails including suspicious attachments (for example attachments with a double extension or documents that contact irregular domains) * Emails embedding suspicious URLs Contributors: Omri Bavly, Noam Lifshitz, Itay Shohat. Tag(s): Incident Response , Threat Hunting , Blog Post Back to Resources Copyright © 2022 Sygnia, Inc. All rights reserved.Privacy Terms of use