Microsoft released software for sale on online forums on Tuesday that makes it easier for criminals to launch phishing campaigns that successfully compromise accounts even when they are protected by the most common form of multi-factor authentication.
The phishing kit is the engine that powers more than 1 million malicious emails every day, say researchers from the Microsoft Threat Intelligence team. The software, which sells for $300 for the standard version and $1,000 for VIP users, offers a number of advanced features to simplify the deployment of phishing campaigns and increase their chances of bypassing anti-phishing protections.
One of the most important features is the built-in ability to bypass some forms of multi-factor authentication. Also known as MFA, two-factor authentication, or 2FA, this protection requires account holders to prove their identity not only with a password, but also using something that only they own (such as a security key or authenticator app) or that only they are themselves. (eg fingerprint or face scan). MFA has become a key defense against account hijacking, as password theft alone is not enough for an attacker to gain control.
MFA’s Achilles heel
The effectiveness of MFA has not gone unnoticed by phishers. Several campaigns that have emerged in recent months have highlighted vulnerabilities in MFA systems that use TOTPs, short for time-based one-time passwords generated by authenticating applications. One campaign disclosed by Microsoft targeted more than 10,000 organizations over a 10-month period. Another successfully breached the network of security firm Twilio. Like the phishing kit Microsoft detailed on Tuesday, the two campaigns above used a technique known as AitM, short for adversary in the middle. It works by placing a phishing site between the targeted user and the site the user is trying to access. When a user enters a password into a fake website, the fake website transmits it to the real website in real time. If the real site responds with a TOTP tip, the fake site receives the tip and relays it back to the target, also in real time. When a target enters a TOTP to a fake site, the fake site forwards it to the real site.
To ensure that the TOTP is entered within the specified time (usually around 30 seconds), phishers use bots based on Telegram or other real-time messengers that automatically enter the credentials quickly. After the process is complete, the real site sends an authentication cookie to the fake site. With this, phishers have everything they need to take over the account.
Last May, the Microsoft crime group behind DEV-1101 began promoting a phishing kit that defeats not only MFA based on one-time passwords, but also other automated defenses that are widely used. One feature embeds CAPTCHA into the process to ensure that human-operated browsers can access the final phishing page, but automatic protection cannot. Another feature briefly redirects the target’s browser from the original link in the phishing email to a benign site before reaching the phishing site. Redirecting helps defeat blocklists of known malicious URLs.
The ads, which began appearing last May, described the package as a phishing app written in NodeJS that offers PHP reverse proxy capabilities to bypass MFA and CAPTCHA and redirects to bypass other protections. The ads promote other features such as automated setup and a wide range of pre-installed templates to mimic services such as Microsoft Office or Outlook.
“These features make the suite attractive to many different actors who have been using it continuously since it became available in May 2022,” Microsoft researchers wrote. “The actors using this kit have different motivations and targeting and can target any industry or sector.”
The post went on to list several measures customers can use to counter the package’s evasion capabilities, including Windows Defender and anti-phishing solutions. Unfortunately, the message hid the most effective way, which is an MFA based on an industry standard known as FIDO2. There are currently no known credential phishing attacks that defeat FIDO2, making it one of the most effective account takeover barriers.
For more information on FIDO2-compliant MFA, see previous coverage here , here , and here .
The phishing attack that breached Twilio’s network worked because one of the targeted employees entered an authenticator-generated TOTP into the attacker’s fake login site. The same campaign failed against Cloudflare’s content delivery network because the company used FIDO2-based MFA.