Since the beginning of the year, a campaign led by pirates has been looking to recover tokens from multiple factors authentication. This allows as a reminder to configure a second factor to authenticate, in order to complete the password. Most often, it is a manipulation to be carried out on the phone, such as a six -digit code or a notification to accept after authentication.
These multiple factors represent effective protection against password flights in most cases. It is therefore impossible to connect without also having the smartphone and the means of authenticating (biometrics or code). However, it is not absolute.
In a post published on July 31, the Proofpoint security company thus describes a campaign whose first signs were observed at the start of the year. The very organized pirates have created false Microsoft applications using the oauth protocol so that the generated authentication tokens are sent to specific addresses.
These fake Microsoft 365 type pages are well done to deceive vigilance. They can take various appearances, to pretend to be emanating from Adobe, Ringcentral, or to look like legitimate Docusign requests. About fifty applications of this kind have been identified, according to Proofpoint.
It is notably this active campaign that would have led Microsoft to block the old authentication protocols, the change having started in mid-July and having to go out of August. Proofpoint notes that this decision will of course improve general security, but that resistance in the face of these campaigns necessarily involves increased vigilance, because based on social engineering.
Recall that the bypass of mechanisms with multiple factors is not uncommon. In 2022, Microsoft explained in detail the operation of a complex attack, aimed at specific companies. She used dedicated servers, was also based on social engineering and presented great similarities with the mechanisms described by Proofpoint.