Phishing Campaign Attempts to Bypass Microsoft Office 365 MFA

Summary

Applications accessing Microsoft Office 365 leverage both the OpenID Connect (OIDC) protocol, which authenticates the user granting access via ID token from the Microsoft Identity Platform, and the OAuth2 framework, which authorizes access for the application via authorization code through Microsoft Graph. Cofense researchers discovered a phishing campaign attempting to trick users into granting permissions to a rogue application, thus bypassing Microsoft Office 365 multi-factor authentication (MFA). The convincing email contains a link to a PDF document hosted on Microsoft SharePoint that claims to contain salary bonus information. If the link is opened, the user is directed to a spoofed Microsoft Office 365 login page to enter their credentials. Once submitted, the user’s ID token and authorization code are captured by the threat actors via a rogue application, resulting in permission and access to the account without exposing any credentials or the MFA code to the application. As access tokens expire, the “offline_access” permission allows the application to refresh tokens, potentially enabling indefinite access to the account, which includes email, contacts lists, and sensitive or confidential documents that can be used to commit further compromise or attacks.

Recommendations

The NJCCIC recommends users avoid clicking links or opening attachments in emails from unknown senders, and exercise caution with emails from known senders. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. MFA is still considered an effective layer of security protection and should be enabled where available to prevent account compromise as a result of credential theft.