Scammers try to bypass Office 365 multi-factor authentication
Scammers using phishing try to get users to grant permissions to fake applications to bypass the multi-factor authentication to Office 365 accounts.
The attacks begins with an e-mail invite that directs the user to a Microsoft SharePoint platform (via link) where the file implying salary bonus is uploaded.
If you use the link you will go to a real Microsoft Office 365 login page but there’s a slight change to the URL, something that shouldn’t be there.
By putting login and password and pressing the login button the user permits the ID token and authorization code to be sent to a fake Office 365 domain/app.
This way the fake app will gain access to the victim’s account, could read and modify all its contents, access contacts.
This way the attacker doesn’t need to know the login credentials – attacker just needs the victim to use the sent URL to log onto the real Microsoft Office 365 via that link. This allows to exchange the real ID token and authorization code with fake website.
Even though the the access token expires after some time the app has permission to refresh tokens which means it can have access indefinitely.
What should you do?
- don’t open clear phishing attempts (like salary bonus files)
- think before you grant all the permissions to an app
- always log in through writing in the URL, not from sent links