Two different phishing attacks bypassing MFA have recently been discovered. One phishing campaign is targeting Microsoft users while the other is targeting Gmail users. These two separate phishing attacks go about it differently, but both bypass your MFA enabled security configurations.

Microsoft campaign

The phishing attack that targets Microsoft email users targets those in fin-tech, lending, accounting, insurance, and credit union space and looks to divert payments to bank accounts owned by the cyber attackers. This attack is more closely related to the business email compromise type of attack. The Microsoft email user would receive a BEC phishing email luring them to a spoofed website. Once at the spoofed website, the cyberattacker deploys one of several tools that grants them what is called an adversary in the middle (AiTM). This allows attackers to intercept the cookies used for MFA and allows the attacker to gain access to the account.

Gmail campaign

This phishing attack works differently than the Microsoft attack, targets different industries, and appears to be state sponsored. The organizations typically impacted here are in the nuclear industry, weapon system industry, and other fields that may interest the North Korean government. This attack attempts to trick users into installing a browser extension which then allows the cyberattacker to read your emails.

What you can do

It is still highly recommended to use MFA and to use it on all of your business accounts. The two identified cyberattacks does not change that MFA is still one of the best security tools in your cybersecurity toolbox. These attacks do show the importance of having multiple tools used though, as cybersecurity requires layers of security protecting your accounts and data. In both of these attacks it is important to ensure you are running the most up to date antivirus software to help minimize the risk of your computer or device from installing any associated malware from the phishing attacks. It is also important to consistently train your team on phishing emails like these and to report any suspicious emails. It’s also time to consider email security tools that can help scan for malicious emails, including the attachments and links.

  • Deploy a reputable antivirus software
  • Train your team on phishing emails
  • Utilize email security tools

Protecting your small business is never easy and we are here to help. Test your cyber knowledge and take our Learning Course. For more information on phishing attacks bypassing MFA and other small business cybersecurity resources, check out Small Business, Big Threat! For more on cyber policies, check out the Access Resources page.