New phishing campaign bypasses multi-factor authentication

News by Rene Millman

Hack uses OAuth2 framework and OpenID Connect protocol to access user data, bypassing 2FA.

Security researchers have found a new phishing campaign that gives hackers access to user data without a password.

According to a blog post by Cofense, the tactic uses the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data.

Cofense researcher Elmer Hernandez said that the attack is not, “a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn’t have helped,” he said. “Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it’s a stark reminder that phishing isn’t going to be solved by Multi-Factor Authentication.”

The phishing email is created to look like a normal invite to a SharePoint hosted file about a possible bonus. This leads to what looks like a Microsoft Office 365 login page at However, the URL directs an application to access and copy contacts and send them to a domain based in Bulgaria.

“If the attackers were successful, they could grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information. Once the attacker has sensitive information, they can use it to extort victims for a Bitcoin ransom,” said Hernandez.

“The same permissions can also be used to download the user’s contact list to be used against fresh victims. Using the address book and old emails would allow the attacker to create hyper-realistic Reply-Chain phishing emails.”

Niamh Muldoon, senior director of Trust and Security EMEA at OneLogin, told SC Media UK that this new type of attack demonstrates that multi-factor authentication alone is not enough to protect against increasingly sophisticated phishing attacks and now even traditional forms of two-factor authentication are at risk.

“Multi-factor authentication using the something you are component (biometrics) reduces this risk. Leaders Digital Identity space are using AI to model user behaviours for access to systems and data, if a user’s risk profile changes then so do does their authentication mechanism along with ability to execute privileges, this makes it more complex and difficult for malicious attackers to be successful in gaining access,” she said.

Daniel Conrad, field strategist at One Identity, told SC Media UK that this is a very well-crafted phish as it “front ends” O365 with a malicious SharePoint site. When the user authenticates to O365 it grants this site access to the users data. It goes beyond the simple gaining of a user’s password and possibly moving laterally or elevating privilege.

“From an attacker’s perspective, this type of effort would be used for specific targets (aka “whaling”), where they would attempt to get specific account information from specific, high-level users. It’s a bit like a man-in-the-middle but for O365. Once authenticated, they would have access to anything stored on the O365 platform such as corporate email, contacts, OneDrive, etc., which they can take and hold for ransom or use maliciously,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews