Phishing That Lands a Trophy

By now, we all think we’re pretty savvy when it comes to recognizing phishing emails. But what about when you honestly can’t tell the difference between a malicious email and a genuine one? Phishing schemes are getting more sophisticated every day and even the most highly trained can be fooled. While Microsoft Defender for Office 365 offers serious protection against malicious emails, the human error component can never truly be eradicated. “Key Security Threats Facing Your M365 Environment and How to Protect It,” a recent webinar from 1nteger’s cybersecurity team, explored a scenario where a phishing email was successful and yielded quite the trophy for attackers.  

Multi-factor authentication fatigue 

Cyber criminals are creative and persistent, often relying on a combination of attack techniques to gain entry into a system. In this real-life example, a business fell victim to a scheme that utilized both phishing and multi-factor authentication (MFA) fatigue.  

It all started when an end user received a very well-crafted phishing email. The domain checked out and the links looked legitimate. They clicked on the link and provided their credentials as requested. Simultaneously, an outside cyber attacker siphoned the credentials and then attempted to log in numerous times. Their Microsoft 365 (M365) environment had enabled multi-factor authentication, requiring the end user to approve access of a new device via email. Hackers rely on MFA fatigue, in which the recipient eventually gets worn out by the frequency of voice and push notifications asking for consent, causing them to get lax and automatically consent without doing their due diligence.  

At one point, the end user, suffering from MFA fatigue, became annoyed and approved one of the numerous login attempts. From there, the cyber criminal established access, undetected by the client. For three weeks, there was a lull in which nothing happened.  

What can happen in three weeks? 

Once attackers gained access, they monitored the compromised account, collecting information, gaining intelligence, and looking for ways to use what they’d learned to commit fraud or target a partner organization via phishing. After three weeks, the criminals attacked, setting up mail flow rules to forward key emails out of the organization. Then, they responded to the recipients, posing as the compromised user. At that time, the end user finally became aware of the situation and brought it to the attention of their IT department. IT was able to mitigate some of the damage, but much data had already been lost. Untangling data leaks or theft after the fact is a significant challenge.  

91% of cyberattacks start with a phishing email 

91% of cyberattacks start when someone clicks a link in an email that they shouldn’t, just like in the above scenario. Anti-phishing platforms plus security awareness programs, such as KnowBe4, are helpful, but criminals are always building a better mousetrap and users are, after all, only human. Additionally, MFA is not always strong enough to fend off a persistent criminal. 

Unfortunately, this is not just a statistic, or a sensationalized story ripped from the headlines, these attacks are problems that the 1nteger team reacts to on a weekly basis in support centers all over the country.  

While you may have cybersecurity support now, the odds are that the traffic in and out of your M365 account is not being monitored around the clock. 1nteger CORE offers managed detection response (MDR) and incident response for M365, plus vulnerability scanning. Our Security Operations Center continuously monitors malicious admin changes, unauthorized email delegate access, multiple failed or unauthorized access attempts, MFA changes, foreign and impossible logins, and suspicious email forwarding rules, all of which could have stopped the above attack before it started. 

The ability to act in real time, 24×7, is essential to be able to identify, isolate and remove threats. Contact us to learn how you can proactively protect your environment within a few days and stop phishers from landing a trophy.   


Subscribe to TechMD Insights

More Posts

Skip to content