Phishing attack targets Office 365 and bypasses MFA


We’ve seen a lot of new phishing variations in the past few months. As attackers get more and more persistent and people are more vulnerable. This isn’t something new, cyber attacks like these are constantly evolving in order to get around security practices. But a new cyber scam has been able to bypass MFA in order to gain access to people’s Microsoft office data so that the cyber criminals can hold it for ransom.  


Multi Factor Authentication is supposed to be a solid barrier between hackers and your accounts. If your credentials get stolen during a phishing scam you’re supposed to be protected by that extra layer of security. But this new scam has found a way around this layer of security and could put a lot of people at risk for losing important information.

This new campaign is similar to a lot of phishing scams because it uses links in order to trick people into giving them access. But it’s different from a traditional credential harvester because the goal it has is to bypass the permissions and MFA not to get your login. It also uses the user to approve this access to their data without them even knowing that something is amiss.

An email is received by a user, it seems to be a normal share link for a page or document on SharePoint by a user they may know. The user decides to check it out and it seems pretty standard, but promises a potential Q1 bonus. Prompting them to click the link without making sure it’s legitimate or scrolling over the link to see if it looks fishy. They are taken to a legitimate looking login page that passes for the real thing unless you take a hard look at the long form URL to realize it is way longer than it should be.

The reason for the extra length being the parameters added in to allow the hacker to gain access to the account by bypassing MFA entirely. Giving the hacker access to the users emails, and everything in their cloud storage including sensitive documents.

The issue with this is not only their ability to hold your documents for ransom, but their complete access to your email without you knowing. Meaning that they could send emails pretending to be you to your entire contact list with a dangerous link and no one would know. Meaning that your entire contact list could have their own documents held for ransom and their documents compromised. This is the main goal of any hacker infect as many people as possible.

The best way to combat this is by being smart and being informed. Emails that come off as too good to be true probably are and should be avoided. Be skeptical of links that are sent to you, it doesn’t hurt to sent that person an email on a separate thread in order to confirm its authenticity or give them a call. Cyber criminals are always adjusting their attacks to be more effective and sneaky. So we need to stay one step ahead of them by being wary of things we know to be on the lookout for and staying updated on new cyber attacks as they appear.

Remote Assistance:

Close Button