Embarrassing confession, recently I almost fell for a phishing scam. Even though I’m a certified cybersecurity expert with years of training under my belt, a hacker tricked me into entering my username and password on a malicious website. Fortunately, I realized my mistake and changed my password before any damage was done. However, I’ve seen two other incidents in the past month where similar phishing attempts were more successful.

So, what makes these attacks so convincing, and what can you do to protect yourself?

Recognizing the New Phishing Scams

As reported by Microsoft Defender Experts, these latest scams appear to be a multi-staged adversary in the middle (AiTM) phishing attack combined with a business email compromise (BEC) attack. Here’s how they work.

Stage 1: Initial Access Via Trusted Vendor Compromise

What makes these attempts so difficult to spot is that the attack starts with a phishing email from a trusted vendor. In my case the email impersonated a company that I was actively engaged with. The message arrived late in the day, at a time when I was likely trying to rush through tasks and be less vigilant. Hackers know when we’re vulnerable. For example, a Friday afternoon before a long weekend is a great time to send phishing emails.

Stage 2: Malicious URL Click

A link in the message took me to a very convincing Office365 sign-in page. I had to log in to view my “secure document”.  It was only after I entered my credentials and nothing happened, that I realized this page was likely spoofed.

From the end user point of view, you’ve successfully logged in but see an empty portal or Outlook screen. You might simply assume that the site doesn’t work and move on to the next task. However, the attacker in the middle is watching and waiting. Entering your credentials creates an access token. The attacker steals this token and gains access to your account.

If you suspect you’ve been compromised, immediately change your password, sign out of everything, and contact your IT team. Your IT team will look for any persistent sign-in methods or footholds the hacker may have established.

Stage 3: User Account Modification and Business Email Compromise.

Once the attacker has a stolen token, they will modify your account so they can access it later for future use. They set up ways to bypass MFA, such as redirecting it to a phone number they control. They can also read your email conversations and documents stored in the cloud.

Next, the attacker creates Inbox rules to hide their activities. For example, moving incoming emails to the archive folder and marking them as read so you never see them.

With these rules in place, their next step is to launch a large-scale Business Email Compromise (BEC) scam. In the attacks I mentioned earlier, the hacker sent thousands of phishing emails under the victim’s name. This allows them to collect even more valid accounts in different organizations. They are also looking for additional ways to commit fraud and steal funds.

How to Protect Your Organization from This Threat

Hackers continuously change their tactics to bypass our conventional solutions and best practices. While MFA still protects against 98% of attacks, token theft is a growing concern. If you are looking at ways to protect your organization, here are some additional things to consider.

Train End Users to Recognize Phishing

Studies show that human error plays a role in 90% of data breach cases. A regular cycle of security awareness training keeps cyber security at top of mind and familiarizes them with the latest threats. I recommend incorporating simulated phishing for an interactive way to bring this training to life. Unfortunately, I often hear objections such as “I don’t want to trick my employees” or “this simulated phishing email is too realistic”. In response, just remember that the hackers aren’t holding back or playing fair. For every simulated phishing email your end users click, that is one successful phishing attempt that has likely been prevented.

Implement System Configurations

System providers continue to improve the tools they offer to combat cyber security threats. I recommend enabling link checking in emails as an added layer of protection. Another best practice is to implement the appropriate conditional access policies for your organization. Conditional access policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins.

An IT provider like Invario can help you understand the best way to mitigate risks without negatively affecting productivity. You will need to weigh the benefits vs. user impact to determine the best course of action for your organization. If you have questions, please reach out and I’m happy to discuss them.

Feedback

If you have questions about this article, or if there is an IT topic you would like to know more about please email me your suggestions.

Referral$

If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.

That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.

Dave Wilson