How a Client’s Email Was Hacked and Why “Basic” MFA No Longer Protects You

How a Client’s Email Was Hacked and Why “Basic” MFA No Longer Protects You

It is a classic “cat versus mouse” game.  Hackers are cunning, nimble, and determined to get what they are after. IT Professionals implement processes and tools to defeat these thieves, but they always tend to find another way. For this reason, keeping up with current security trends and prevention methods is extremely important. As you will see in this story, all it takes is one employee clicking on the wrong thing to give a hacker access.

This past week, a client contacted us to open a ticket about an email issue. Her emails were going to the wrong folder instead of her Inbox. Just before she began having email issues, she also had an issue with attempting to open a spreadsheet that had been sent from a trusted partner. Our technician logged in and found that a rule had been put into place that was automatically moving the messages to another folder. The client's employee stated that she had never set up this rule, and further, she was unaware of how to do such a thing. Our technician dug deeper while using Microsoft’s forensic tools, revealing that someone else had access to this email account.

BUT HOW?  He verified that the account had MFA (Multi-Factor Authentication) enabled. The only way someone else could gain access is if the client's employee had given them the secondary MFA code.

The employee walked us through her morning, where she specifically recalled using the MFA code immediately before her email began encountering issues. She had been expecting a settlement spreadsheet from one of their partners, and it arrived in her inbox. She opened the link to the spreadsheet which took her to a Box.com site. Box is a legitimate secure storage service that allows you to send files via email. Since she had used this service before, there was no reason for alarm. While inside the Box account, she attempted to download the spreadsheet; however, it took her to a Microsoft 365 login and asked her to "re-authenticate". This is a big red flag, but she felt comfortable since she had dealt with this company multiple times in the past without issue. And yes, she had been fully trained on this tactic and others through a comprehensive cyber security training system. It turned out that the 365 login screen was a fake, generated by the hacker’s servers. It automatically asked for MFA after logging in and passed it through to the legitimate Microsoft site in order to gain access to her email. We call this kind of technique a “Man in the Middle” attack. From there, the hackers had complete access to her mailbox, where they proceeded to create a couple of rules before we subsequently kicked him out.  Luckily, no harm was done.

So how can you better defend against this type of attack?

Recently, Microsoft released a new feature still in public preview called “MFA with additional context”. It requires “push” notifications to your phone instead of OTP (6 or more digit tumbling numbers). It also adds two great features: The login request's geographic location and number matching. Number matching is huge because you must enter an exact two-digit code that matches what is presented to you on the login screen. A hacker would have to interact with you and ask you to put the code into your phone in order for it to work, which makes it much more difficult for the thief. Additionally, these features remove the ability to script and automate an attack as described above.

You can read more about it here:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context

The moral of the story is that we all let our guard down over time, but it is imperative to continuously preach cyber vigilance to your team and those you regularly do business with. I encourage you to reach out to your IT Professional and implement these new features. If you are a PalmTech Client, we are finished with our internal testing (all of our employees are using enhanced MFA), and we are beginning to roll it out to our managed clients. You will be contacted within the coming weeks.

Yours for a more secure world,

Chuck