Multi-factor authentication (MFA) has long been touted as one of the best ways to secure online accounts. In a 2019 report, Microsoft found that MFA can prevent 99.9% of cyberattacks—a rather powerful statistic.
As time would tell, businesses were not the only ones moved by this data; cybercriminals were quite inspired, too.
Today, bad actors are now manipulating users into bypassing MFA protections, specifically in the Microsoft 365 ecosystem. These are known as “adversary in the middle” (AiTM) attacks, and they are as difficult to spot as they are dangerous.
We’ve seen a surge in these attacks across the mid-sized law firm and association space, so we thought it prudent to dig into how these attacks work and how to minimize your risk.
How AiTM Phishing Scams Work
Here’s one way these attacks can play out:
| What You See Happening | What is Actually Happening |
| You receive an email from a coworker with a link to a document. | You receive a phishing email from a vendor with a malicious link to a fake document |
| You click the link and it launches a Microsoft sign-in page to access the document. | You click the link and it launches a fake Microsoft sign-in page to access the document |
| You sign in and receive a prompt to authenticate your login. | You sign in, and the fake page functions as a middleman. It forwards the login request to Microsoft, then receives and passes along a legitimate prompt to authenticate your login. |
| You enter the code but still can’t get the document to open. | You enter the code, and Microsoft issues a cookie that identifies your device as one that has been authenticated. This cookie is captured by the bad actor and used to gain access to your Microsoft account. You still can’t get the document to open because it doesn’t exist. |
| You reply to your coworker as such, but don’t hear back. | You reply to your vendor as such, but don’t hear back because that vendor was also breached, and the bad actor set up rules to hide related emails from their inbox. |
| Weeks pass and you forget about this email. | Weeks pass and you forget about this email. All the while the bad actor makes themselves comfortable in your mailbox. |
| You start getting phone calls about a strange email you sent—except you didn’t. You didn’t receive any replies or bounces either. | You start getting phone calls about a strange email you sent—except you didn’t. The bad actor sent out another phishing email with a malicious link to your entire contact list. You didn’t receive any replies or bounces either because the bad actor, again, set up email rules to hide related emails. |
| You contact your IT team immediately so they can investigate. | You contact your IT team immediately so they can investigate. |
In this example your ego is probably taking the biggest hit. Once your IT team secures your account you will want to send a notice out to your contacts warning them not to engage with the link.
Far more serious outcomes include the bad actor stealing sensitive information for profit or extortion ransomware, or committing financial fraud and stealing huge sums of money from your clients or members.
How to Protect Your Business
As you can see, these scams are sophisticated and wildly effective.
This underscores the need for a multi-layered approach to your organization’s cybersecurity defense and response strategy. With attacks so insidious, we have to identify and bolster every ingress they touch in order to maximize the chances one of those controls will do the trick.
Here’s what to consider:
- Harden your email security. Evaluate your spam filter and settings. Use Safe Links, turn on external warning banners, and block external email forwarding. Brand your Microsoft login page as a way to confirm legitimacy. Add Enterprise Mobility + Security licensing. And make sure everything is backed up.
- Implement Zero Trust security. Eliminate those cookies from the equation and require device authentication every time you sign into applications.
- Prioritize security awareness training. Does your team know attacks like this are not just possible, but increasingly frequent? If you’ve turned on external warning banners, do they know why? Education must be ongoing and continuously updated. Phishing simulations are a must.
- Go (far) beyond anti-virus. Cover all endpoints (laptops, servers, etc.) with software that uses artificial intelligence, like SentinelOne, to detect malicious activity. The tool should be monitored 24/7.
- Update your incident response plan. Would every person on your team know to immediately alert IT if they receive calls about strange emails in their name? Have you identified all the parties responsible for response, remediation, investigation, and notification?
Unless you’re a cybersecurity firm, it’s simply not possible for you to keep up with all of these threats and best practices on your own. Make sure you’re confident that you have a provider who is doing this for you. If you aren’t, we’d love to chat!