A recent cybersecurity discovery has revealed a potential vulnerability in Microsoft 365 accounts that could allow attackers to bypass multi-factor authentication (MFA). The recent attack leverages a technique involving the Open Neural Network Exchange (ONNX), a platform that enables AI models to be shared and deployed across different systems. By manipulating these files, attackers could potentially gain unauthorized access to Microsoft 365 accounts, even when MFA is enabled.
A typical email in the attack shows a threat actor purporting to send the employee a human resources-related PDF document, such as an employee handbook or a salary remittance slip. The document impersonates Adobe or Microsoft 365 to try to trick a recipient into opening the attachment via a QR code that, once scanned, directs victims to a phishing landing page. QR codes are an increasingly common tactic for evading endpoint detection. An attacker-controlled landing page is designed to steal login credentials and MFA authentication codes using a method known as the adversary-in-the-middle (AitM).
Here's a simplified breakdown of how the bypass technique works:
- Token Capture: Attackers obtain a valid Microsoft 365 authentication token from a compromised user after the user successfully authenticates and provides MFA. This token acts as a digital key that grants access to the user's account.
- Token Reuse: Attackers reuse this stolen token instead of creating a new session. Since MFA is typically enforced during the initial authentication process, reusing an already authenticated token allows attackers to bypass entering the username/password and MFA check entirely.
- Access Without MFA Prompt: By reusing the token, attackers can access the Microsoft 365 account without triggering a new MFA prompt. This means they can potentially exploit the account without being detected, as the system believes the session is still valid and authenticated.
This discovery reminds us that cybersecurity is an ever-evolving field, and even well-established security measures can have unforeseen vulnerabilities.
Takeaway:
- Stay alert when using QR codes. Ever since their inception, QR codes have been used in attacks. Just like URL shorteners, you don't know where you land until you are there. Attackers continue to find creative ways to abuse them
- ALWAYS check the URL before you enter any credentials.
- Run away from any webpage you landed on from the (unknown/untrusted) email that prompts for credentials
Continue educating yourself on different MFA bypass techniques and use phishing-resistant MFA types where possible in your business and personal life.
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------