BEC phishing Campaign steals Office 365 credentials and bypasses multifactor Authentication

BEC-Phishing-Kampagne stiehlt Office 365-Anmeldedaten und umgeht Multifaktor Authentifizierung

Mail Security

Email Phishing Campaign

By Jelle Wieringa, Security Awareness Advocate at Knowbe4

Jelle Wieringa, Security Awareness Advocate at KnowBe4

In June, Microsoft security experts discovered a new attack technique in which cyber criminals took advantage of Microsoft Exchange’s Basic Authentication support. They could use previously stolen online credentials and bypass multifactor authentication (MFA). The attackers proceeded to launch an email phishing campaign that pointed to a file to be opened. The file, in turn, points to an infected link that led the victims to a fake Office 365 login page. As soon as the victim entered his credentials there, the message “File not found” will appear.

The attackers take the stolen credentials and try to log in to the victim’s Office 365 account. If you encounter Microsoft’s MFA, dial in with the Microsoft user agent “BAV2ROPC”, which allows Exchange basic authentication (which is usually used in POP3/IMAP4 conditions) and results in an OAuth flow. This process bypasses the MFA because MFA does not support IMAP4 requests. Microsoft actually wanted to turn off their Basic Authentication as early as October 2020, but the pandemic put the project on hold and postponed it until this year.

Once they have penetrated the victim’s mailbox, the scammers use a set of forwarding rules for messages that contain words such as “invoice”, “payment” or “bank statement” and forward them to an email account controlled by the scammer. If the fraudsters then come into possession of these e-mails, they will impersonate the person concerned. They then apply social engineering tactics to convince the person or company making the payment to change the bank details at the last minute.

By using an infrastructure hosted in multiple web services, the attackers were able to hide their BEC campaign. They performed discrete activities for different IPs and time periods, which made it difficult to unmask.

Impersonating another person – especially if the attackers have access to that person’s mailbox-is difficult for companies and the people involved to detect and repel. Therefore, it is important to stop these types of attacks before they happen. Ultimately, only the misdirected click on the phishing email can be prevented. Users must be able to recognize the red flags during sleep. By participating in security awareness training, you will learn both the basics of good security awareness and the latest fraud attempts, topics, and campaigns, so that employees and companies are not unprepared for the “next” phishing email and can react accordingly.

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: