Microsoft Uncovers Evolved Phishing Campaign: Targets Those Without MFA

JANUARY 27TH, 2022

The Microsoft 365 Defender Threat Intelligence Team has recently uncovered a new phishing trick that should make anyone without multi-factor authentication sit up and take notice. Microsoft notes that this latest attack form builds on traditional phishing tactics by joining a device that the hackers have taken control of to an organization’s network to spread the campaign.

Multi-Factor Authentication Is the Key Vulnerability

Microsoft says the campaign started with hackers accessing stolen credentials from target organizations via a phishing campaign. These credentials were then used for the second, more damaging phase. Hackers used compromised accounts to spread the attack within the network via lateral phishing—and outside the network via outbound spam.

The common thread in successful breaches during the second stage of the campaign was that victims didn’t have multi-factor authentication (MFA) in place. MFA is a crucial element for securing devices and networks because, without this extra layer of cybersecurity, hackers can hijack, register, and operate a device using recently stolen credentials.

The Microsoft post includes the phishing email spoofing examples—remarkably authentic-looking email and dialog boxes using the DocuSign and Microsoft Outlook brands. It’s understandable why anyone would be fooled and click on the link.

Defense and Remediation

But here's your key takeaway: For organizations that did have MFA in place, the attack was contained for most targets. For organizations that didn’t have MFA in place, the attack spread. If you aren’t using MFA throughout your organization, it’s time you do.

Microsoft also offers guidance and links for remediating device persistence, noting that resetting passwords isn’t enough. The post says that good credential hygiene, network segmentation, and similar best practices are also vital defense tactics, along with advanced security solutions that provide visibility across domains and coordinate threat data across protection components.

On a side note, Arcserve UDP features MFA to ensure your backups are always protected. Stay tuned for updates.