Aug. 10th, 2023 – Microsoft has reported a large number of accounts taken over despite having MFA enabled; evilproxy the culprit.
CyberHoot vCISO’s had two (2) M365 account compromises in the last 24 hours. We did research on what may be happening to breach MFA-enabled accounts. This is what we learned.
An incident was reported on yesterday by Bleeping Computer, in which they reported on unknown hackers, thought to be from Greece, targeted more than 120,000 Microsoft 365 email accounts using the “EvilProxy” hacker malware in their attack.
Overview of how Evil Proxy Works:
The reason this works so well, is that the victim’s sessions appear to work just fine while logging into their 365 account. The hacker’s stolen session key allows them to bypass MFA allowing them to setup a new MFA token, change forwarding rules and do anything else they want as they have already been granted access to the hacked users O365 email account.
Warning: If you’re not worried simply because you aren’t an O365 account user, think again. EvilProxy has client versions that attack Apple, Google, Twitter, GitHub, GoDaddy, and PyPI email accounts as well.
After the Hackers are In, What Happens Next?
- Once a Microsoft 365 account is compromised, the threat actors add their own multi-factor authentication method (via Authenticator App with Notification and Code) to establish persistence.
- They may also add Email “Rules” to hide their presence and the communications they start performing. Often they will scrape all email addresses one has communicated with and begin sending out a similar phishing campaign to exploit the trust given by the compromised email account holder’s contacts. “This email came from the CFO of Company. I trust that person, I’ll click on their Adobe document or their PDF attachment and I’ll authenticate to view it.“
How to Improve Protections from EvilProxy in your Email Systems:
- Implement conditional access through your Microsoft License for your email to limit logins to specific devices and geographic locations. If available with your license, consider enabling “Impossible Travel” restrictions.
- If available, use Microsoft InTune to deny acces to untrusted devices (configure such a policy in your own specific mobile device management solution).
- Enable and leverage password-less authentication methods such as Windows “Hello” for Business (but note your organization must have biometric identification capable devices [face, fingerprint, or iris recognition]).
- Consider using a hardware token for MFA method (FIDO2 Security keys). Note this too requires biometric capable end user devices.
Other Measures to Consider:
- Train employees on how to spot and delete phishing attacks.
- Test employees with innovate phishing simulations like CyberHoot’s Assignment-based Phish Testing. The outcome of this test is a much more aware employee capable of spotting phishing attacks independently, confidently, and efficiently.
What Do you Do After An Attack?
- Reset the victim’s password and revoke all logged in sessions. Please Note: Microsoft 365 cannot revoke their session tokens. Therefore a Hacker can remain active in the account for between 1 hour and 1 day.
- Revoke and and all unexpected changes to MFA configurations on the account.
- Search for and remove all unexpected inbox Manipulation “Rules”.
- Disable external Forwarding rules (Note: This can be done at the domain level for all user accounts and may be a good decision moving forward. Be sure to seek proper approvals before disabling all forwarding.)
- Watch out for emails containing typo-squatted domains.
- Search for evidence of stolen Session-IDs.
- Abnormal activity from unusual IP addresses or locations in the mail audit logs of compromised accounts.
- Run a Malware scan on the device in question. While it is not commonly associated with malware, these events have a habit of expanding into other avenues of compromise including malware deposit.