New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

[Lakados]

https://www.bleepingcomputer.com/ne...hing-kit-targets-microsoft-365-gmail-accounts

It's only going after O365 and Gmail now, but I can see how it could easily be expanded.

And people wonder why I have trust issues...

 

[GSDragoon]

So they faked the MFA page? Not surprising or anything that special special.

 

[Okatis]

The tl;dr is it impersonates you to the legit server and steals your credentials and session cookie, which (during the duration it's valid) bypasses subsequent need for MFA.

The last step seems to be relaying the captured info via proxy to the official servers, presumably to avoid region detection heuristics? (and ofc not sending directly from known-malicious sources :p)

 

[Armenius]

This is why you never click on links in e-mails.

 

[bigdogchris]

This is why you never click on links in e-mails.

Well, at least mouse over the link and verify the URL by what pops up in the lower left corner.

 

[Lakados]

So they faked the MFA page? Not surprising or anything that special special.

More complex than that, it essentially man in the middles your MFA and it presents itself as you to the legitimate server. Which also serves to bypass some of the protections done server side to prevent unauthorized login attempts because using Cloudfair ensures their attack comes from a geographically similar location to your normal requests without using a VPN and Microsoft and Google both keep known VPN exit nodes under close scrutiny for bad actors.

 

[pendragon1]

yay... staff are on on both, kids are all google but have access to o365 if they realize it. this could be a real pita...

 

[scottypippin]

I'd say this is definitely more on the sophisticated side. But, it does still require that the user:

1. Ignore where the link came from (email address or website)
2. Ignore where the link takes them (of course...most users don't know the home page of the MSFT or Google authentication pages, but maybe some could recognize a fake URL....if they ever checked the URL in the first palce)

So, it can still be defeated by normal phishing education. Which of course has a 120% success rate, everyone pays attention, no exceptions, everyone knows better now and we cry crystaline tears over other poor companies who don't know better.

Guess we have to start making our users check the URL of their login page....maybe?