-
Home
-
Knowledge Base
-
James Haywood
- Token Theft: Bypassing Multi-factor authentication
Knowledge Base
Token Theft: Bypassing Multi-factor authentication
What is the attack and how does it work?
A popular email phishing attack affecting Microsoft 365 users involves bypassing multi-factor authentication. The attackers send an email with a link that looks like a PDF document. If you click on the link, you will be taken to a fake website that looks like a typical Microsoft log in site. There, you will be asked to enter your username and password. If you do, the attackers will steal your credentials and your MFA token, which means they can access your account even if you have multi-factor authentication enabled.
Example:
How can you spot the phishing email?
The phishing email may look convincing, but there are some signs that can help you identify it. Here are some tips to spot the phishing email:
- Check the sender's email address. The phishing email may use a spoofed domain that looks similar to the “original” one, but is not the same. For example, it may use @micros0ft.com instead of @microsoft.com.
- Check the link before you click on it. You can hover your mouse over the link and see the actual URL. The phishing link may use a shortened URL service or a fake domain that looks like Microsoft, but is not the same. For example, it may use https://bit.ly/3zXyZt9 or https://microsoft-login.com instead of https://microsoft.com.
- Check the language and grammar. The phishing email may have spelling or grammatical errors, or use unusual or informal language. For example, it may say "Please open this document urgently" or "Your account will be suspended if you don't verify your identity".
How can you prevent the attack?
The best way to prevent the attack is to avoid clicking on any suspicious links or attachments in emails. If you are not sure about the legitimacy of an email, you can contact the sender directly or report it to your IT department. Intrada clients can submit a ticket at https://www.intradatech.com/helpdesk.
Another way to prevent the attack is to set up a conditional access policy in Microsoft 365. A conditional access policy is a set of rules that control who can access your resources and under what conditions. For example, you can set up a policy that requires users to use a trusted device or a specific network to access your account. This way, even if the attackers steal your credentials and MFA token, they will not be able to access your account from an untrusted device or network. In order to set-up conditional access policies, a licensing plan that includes Entra ID Plan 1 is required.
To learn more about this compromise, you can read the full description from Microsoft here.
If you may have been affected by the compromise or would like help investigating an email, you can submit a ticket by clicking here or call us at 570-321-7370.
About the author
Contact Us
|
Contact Information: |
Hours of Operation: |
OUR FOCUS
Intrada Technologies is a full-service web development and network management company with a focus on creating ongoing, trusted partnerships with each of our clients.
We make sure our clients have what they require to run their businesses with maximum efficiency and reliability, as many of their needs are mission-critical.
Our unique, collaborative partnerships allow us to provide our clients with the assurance that we will be there when they need us.