How hackers are breaking into MFA enabled Microsoft 365 accounts

00:06:00
https://www.youtube.com/watch?v=qItXM_oPmbA

Ringkasan

TLDRHackers are increasingly bypassing multi-factor authentication (MFA), commonly used to protect Microsoft 365 accounts, by stealing session cookies using a tool called Evil Jinx. This tool creates convincing fake login pages resembling legitimate sites, tricking users into entering their credentials. Upon successful MFA, the attacker simultaneously captures session cookies, allowing them full access to the user’s account. To combat this vector of attack, organizations are implementing several strategies such as 24/7 Security Operation Centers to detect suspicious activities, enhancing email phishing protection through AI tools, and instituting stricter country access policies. Additionally, companies are adopting an allow-list model for country login permissions and enhancing VPN authentication measures. Training programs and phishing simulations are being conducted regularly to sensitize employees about cyber threats. Furthermore, tools like Clarion are used to alert users about potential fake login pages. Despite the temporary effectiveness of these measures, there's an acknowledgment that attackers may eventually circumvent current defenses. Therefore, ongoing adaptation and vigilance are crucial for safeguarding against evolving cyber threats.

Takeaways

  • πŸ”“ Hackers bypass MFA by stealing session cookies.
  • πŸ› οΈ Evil Jinx creates fake login pages to deceive users.
  • πŸ’‘ Security measures include 24/7 monitoring and AI-based phishing protection.
  • πŸ” Phishing simulations and training enhance awareness.
  • 🌏 Country access policies are shifting to an allow-list model.
  • πŸ” Enhanced VPN authentication helps verify user identity.
  • πŸ“§ Improved phishing protections aim to block malicious emails.
  • ⏰ Most attacks occur outside business hours, highlighting the need for constant vigilance.
  • πŸ“‹ Clarion helps by identifying fake login pages to alert users.
  • πŸ” Adaptability and constant security improvements are necessary.

Garis waktu

  • 00:00:00 - 00:06:00

    Hackers are increasingly bypassing multi-factor authentication (MFA) methods that were previously successful in securing accounts. Originally, phishing attacks aimed to trick users into providing credentials, but MFA often stopped unauthorized access. However, tools like Evil Jinx now enable attackers to craft fake login URLs that mimic legitimate sites, such as Microsoft 365, to steal session cookies after a user logs in and completes MFA. These stolen cookies allow attackers to access accounts without triggering MFA alerts. To counteract such methods, strategies like 24/7 security monitoring, improved phishing protections through AI, adopting an allow-list model for country access, strengthening VPN authentication, and regular security awareness training are being implemented.

Peta Pikiran

Video Tanya Jawab

  • How do hackers bypass MFA?

    Hackers use tools like Evil Jinx to steal authenticated session cookies from users.

  • What is Evil Jinx?

    Evil Jinx is a tool used by attackers to create fake login URLs and steal session cookies.

  • What steps are being taken to counteract these attacks?

    Measures include 24/7 security monitoring, improved phishing protection, use of AI, and stricter authentication processes.

  • How does Evil Jinx work with Office 365?

    Attackers use Evil Jinx to create fake Office 365 login pages that appear legitimate, tricking users into providing their details and session cookies.

  • What is Clarion used for?

    Clarion is an open-source tool that warns users if they are on a fake login page.

  • What security improvements are planned?

    Improvements include AI-based phishing protection, geographical restrictions, and enhanced VPN authentication.

  • Why is security monitoring critical?

    Most attacks happen outside business hours, so security monitoring ensures timely detection and response.

  • How does fake login page phishing work?

    Users are tricked into entering credentials on a fake page that looks identical to a real one.

  • What additional security training is provided?

    Monthly security awareness training and phishing simulations for staff.

  • What international restrictions are applied?

    Switching from a high-risk country blocklist to an allow-list model for increased security.

Lihat lebih banyak ringkasan video

Dapatkan akses instan ke ringkasan video YouTube gratis yang didukung oleh AI!
Teks
en
Gulir Otomatis:
  • 00:00:00
    how are hackers beating multiactor
  • 00:00:02
    authentication we're seeing this attack
  • 00:00:03
    a lot more often these days and it's
  • 00:00:05
    been used to successfully breach
  • 00:00:07
    Microsoft 365 accounts that have MFA
  • 00:00:09
    enabled and nearly every time the user
  • 00:00:11
    has no idea that it's happened the old
  • 00:00:13
    fishing methods they would create a fake
  • 00:00:15
    login screen and they would trick users
  • 00:00:17
    into providing their username and
  • 00:00:18
    password and if the users did that then
  • 00:00:21
    the attackers would try and log in and
  • 00:00:22
    if the account had MFA then the attacker
  • 00:00:25
    would be out of luck they couldn't get
  • 00:00:26
    into the account because they didn't
  • 00:00:27
    have that second form of Authentication
  • 00:00:30
    whether it's a mobile phone or it's a an
  • 00:00:32
    SMS code or a phone call or an
  • 00:00:35
    authenticator app and at the time
  • 00:00:37
    Microsoft said 99.9% of these identity
  • 00:00:41
    based attacks are thwarted by MFA and
  • 00:00:44
    there was a big push to roll that MFA
  • 00:00:45
    with security defaults nearly every
  • 00:00:47
    tenant has it now um and it's been
  • 00:00:50
    pretty successful but now I'm going to
  • 00:00:51
    show you a quick one minute rundown on
  • 00:00:54
    how attackers are breaking into MFA
  • 00:00:56
    enabled accounts and then we're going to
  • 00:00:58
    discuss what we're doing to stop it
  • 00:01:00
    so this is the tool called evil Jinx
  • 00:01:02
    that the attackers use to steal
  • 00:01:04
    authenticated uh session cookies from
  • 00:01:07
    users now they can generate um fake
  • 00:01:09
    links for all of these Services here
  • 00:01:11
    we've got Facebook LinkedIn we're going
  • 00:01:13
    to look at Office 365 right now they're
  • 00:01:15
    going to do a get URL to create a fake
  • 00:01:18
    login URL for Office 365 and then
  • 00:01:20
    they'll put that into a fishing email
  • 00:01:22
    and if your user which is the victim
  • 00:01:23
    here clicks on that URL then they'll be
  • 00:01:26
    taken to this screen here it looks just
  • 00:01:28
    like Microsoft 365 uh the only
  • 00:01:30
    difference is at the top you've got
  • 00:01:32
    login. microsoftonline.com um with two
  • 00:01:35
    L's in online so a lot of people will
  • 00:01:37
    miss that and they'll put in their
  • 00:01:38
    password or put in their username they
  • 00:01:40
    get taken to this screen here which has
  • 00:01:43
    their company branding on it then
  • 00:01:44
    they'll put their password in this is
  • 00:01:45
    their password just so we can see what
  • 00:01:47
    the attacker will steal and they sign in
  • 00:01:50
    so for the user it's got their company
  • 00:01:52
    branding it's asking them for MFA the
  • 00:01:54
    attacker has taken that password and um
  • 00:01:58
    when the user completes MFA here the
  • 00:02:01
    attacker will also steal the
  • 00:02:02
    authenticated cookie which allows the
  • 00:02:04
    attacker later to log in as that user so
  • 00:02:08
    the user thinks they're doing everything
  • 00:02:09
    right they're logging in through a login
  • 00:02:11
    screen which looks just like the company
  • 00:02:12
    branding um they're completing MFA as
  • 00:02:15
    they always do and they're even saying
  • 00:02:17
    no don't keep me signed in because they
  • 00:02:19
    don't want to keep their session um
  • 00:02:21
    active on that computer so then they're
  • 00:02:24
    redirected to this screen there which
  • 00:02:25
    looks just like the Microsoft online
  • 00:02:26
    login screen they won't realize that
  • 00:02:28
    anything bad has happened on the
  • 00:02:29
    attacker side they can see that all the
  • 00:02:31
    auth authorization tokens have been
  • 00:02:33
    intercepted so the attacker has now
  • 00:02:35
    stolen the cookie that then that they
  • 00:02:37
    can use to log in as the
  • 00:02:40
    victim so they run this here this is the
  • 00:02:44
    cookie the authenticated cookie that
  • 00:02:46
    they can use to access the victim's
  • 00:02:48
    account they open up a browser they go
  • 00:02:50
    to portal.
  • 00:02:52
    office.com they can click on this cookie
  • 00:02:54
    editor here they can paste in that
  • 00:02:58
    cookie
  • 00:03:00
    and then they paste it in
  • 00:03:04
    here and then they click
  • 00:03:06
    import and then once they refresh this
  • 00:03:08
    browser they're going to have full
  • 00:03:10
    access to the victim's
  • 00:03:14
    account so now they're logged in as the
  • 00:03:16
    user here we can see that this is the
  • 00:03:18
    victim that gave away their credentials
  • 00:03:20
    they can click on their files they can
  • 00:03:21
    browse their
  • 00:03:22
    SharePoint they can see their sensitive
  • 00:03:25
    company data they can go into their
  • 00:03:26
    email they can send email they can
  • 00:03:27
    create mail rules they can do anything
  • 00:03:30
    uh that the user can
  • 00:03:31
    do they can even open up their onve
  • 00:03:34
    files and browse through those so what
  • 00:03:37
    are we doing to solve this problem so
  • 00:03:40
    this is our first line of defense here
  • 00:03:42
    it's an open source tool called Clarion
  • 00:03:44
    it's designed specifically to address
  • 00:03:46
    this problem the user enters their
  • 00:03:48
    details um then they're taken to this
  • 00:03:50
    screen where a big warning is displayed
  • 00:03:52
    Clarion is recognized they're not on the
  • 00:03:54
    correct page and warns them not to enter
  • 00:03:56
    their password now this tool does work
  • 00:03:58
    for now but it will eventually be
  • 00:03:59
    circumvented so there's a few things
  • 00:04:01
    we're doing to address this so the first
  • 00:04:03
    thing we're doing is 24x7 Security
  • 00:04:06
    operation Center or so monitoring now
  • 00:04:09
    90% of these attacks occur outside of
  • 00:04:11
    business hour so if an attack occurs and
  • 00:04:13
    is successful on a Friday afternoon we
  • 00:04:15
    need to know about it before Monday
  • 00:04:16
    morning and that is what this uh service
  • 00:04:19
    is going to
  • 00:04:20
    stop we're going to do improved fishing
  • 00:04:22
    protection we don't want these emails to
  • 00:04:24
    end up in front of our users in the
  • 00:04:25
    first place so we're going to implement
  • 00:04:27
    some additional AI tooling to help
  • 00:04:29
    prevent the Del delivery of these
  • 00:04:30
    malicious
  • 00:04:31
    emails we're going to block more
  • 00:04:33
    countries by default we're switching
  • 00:04:35
    from a block list of high-risk countries
  • 00:04:37
    to an allow lless model the previous
  • 00:04:39
    setup was if you tried to log in from a
  • 00:04:41
    high-risk country you were blocked and
  • 00:04:43
    everyone else is prompted for MFA now
  • 00:04:45
    that MFA can't be trusted as it once was
  • 00:04:48
    we are going to be switching to an allow
  • 00:04:50
    list model where only certain countries
  • 00:04:52
    are allowed and everything else will be
  • 00:04:54
    blocked by
  • 00:04:56
    default now attackers could get around
  • 00:04:58
    that allow list model by using a VPN so
  • 00:05:01
    we're going to put stricter
  • 00:05:02
    authentication in place for vpns with
  • 00:05:04
    upgraded security licensing to require
  • 00:05:07
    stronger authentication on a VPN login
  • 00:05:09
    so if a user logs in and they're using a
  • 00:05:11
    VPN to represent themselves as being
  • 00:05:13
    from Australia for example then we are
  • 00:05:16
    going to have some stricter
  • 00:05:17
    authentication methods around that to
  • 00:05:19
    ensure that the user who's logging in is
  • 00:05:21
    who they say they
  • 00:05:23
    are we're going to be implementing
  • 00:05:25
    security awareness training uh that's
  • 00:05:27
    monthly online training for staff to
  • 00:05:29
    help identify and avoid malicious emails
  • 00:05:31
    we're also going to be doing fishing
  • 00:05:33
    simulations um ongoing for all
  • 00:05:37
    users um there are other methods
  • 00:05:39
    depending on how strict you want to go
  • 00:05:41
    with your security here and we have some
  • 00:05:43
    um methods in place that involve things
  • 00:05:44
    like Hardware keys and um a zero trash
  • 00:05:48
    security model um if you'd like to
  • 00:05:50
    discuss that um please contact us on
  • 00:05:52
    1300 3691 or support at gc.com thank you
Tags
  • MFA
  • Evil Jinx
  • session cookies
  • Microsoft 365
  • phishing
  • Clarion
  • AI tools
  • security training
  • VPN authentication
  • cybersecurity