Passkeys are a very secure way to protect accounts, as they help prevent phishing and other online attacks. In fact, they're one of the most secure ways to protect your accounts, because it's a physical device that you insert into your computer - it's very difficult to hack!
However, despite their strength, there are still ways that cybercriminals can breach accounts, even in Microsoft 365. This article tells the story of a real-life breach where attackers stole $530k from an organization, explaining how it happened and how you can protect yourself. This is about how an attack method called 'pass-the-cookie' can jeopardize your company's security!
What Happened:
In this case, the attackers used a method called "pass-the-cookie" to bypass security. They tricked a user into clicking a malicious link in an email, which installed malware on their device. This malware stole the session cookie—a small piece of data that websites use to keep you logged in. With this cookie, the attacker could log into Microsoft 365 as the user without needing their passkey again.
Once inside, the attackers took steps to stay hidden and maintain access. They monitored emails and tricked other employees into sending money to a fraudulent account. This breach shows that even strong security like passkeys needs to be complemented with other protective measures.
Passkeys are a robust form of Multi-Factor Authentication (MFA), offering strong protection against phishing and man-in-the-middle attacks. However, even with such measures, breaches in Microsoft 365 can still occur. This article explores how breaches can happen and how to protect against them using Microsoft 365's native security features.
Case Study: An organization recently experienced a breach despite using passkeys. They lost over $500,000 to a fraudulent account after multiple users were compromised.
Attack Method: Pass-the-Cookie
1. What is Pass-the-Cookie? Pass-the-cookie, or cookie hijacking, involves stealing session cookies stored by websites during user logins. These cookies have varying lifetimes but can be exploited to gain unauthorized access.
2. How the Breach Occurs:
- Secure MFA Setup: The user logs in with a Yubikey, storing the session cookie in the browser.
- Vulnerable Personal Device: The user accesses Microsoft 365 on an unprotected personal device.
- Malicious Email: The attacker sends a phishing email, tricking the user into clicking a malicious link.
- Malware Deployment: The link installs malware that extracts the session cookie.
- Unauthorized Access: The attacker uses the stolen cookie to log in as the user, bypassing MFA.
Achieving Persistence
3. Maintaining Access:
- Short-lived Session Tokens: Microsoft sessions last 1 hour but can be extended.
- Persistence Tactics: Attackers might register a device or add an MFA method to maintain access.
4. Goals of the Attacker:
- Reconnaissance: The attacker gathers information, targeting users responsible for payments.
- Inbox Manipulation: They create rules to hide their activity and avoid detection.
5. Fraudulent Transactions:The attacker uses compromised accounts to trick other users into transferring money to a fraudulent account.
Prevention Strategies
To keep your Microsoft 365 accounts safe from cyberattacks, it’s essential to follow a few key practices. First, make sure all devices that access company data have the latest security updates and antivirus software installed. This helps prevent malware from taking over your device. If possible, restrict access to company data from personal devices, or ensure they meet strict security requirements through tools like Intune.
Using advanced security features in Microsoft 365 is also crucial. Conditional Access Policies can help by only allowing access from trusted devices and locations. Microsoft Defender can detect and block malicious emails and links before they cause harm. Setting up alerts for unusual activities can help you respond quickly to potential threats.
Finally, regular training for employees is vital. Teach them how to recognize phishing attempts and suspicious emails. Encourage them to be cautious with emails asking for sensitive information or financial transactions. By staying informed and vigilant, you can significantly reduce the risk of cyberattacks and keep your data secure.
1. Strengthen Device Security:
- Prevent access to corporate data on personal devices.
- Enroll personal devices in Intune and enforce security policies.
2. Enhance Session Security:
- Use Conditional Access Policies to enforce non-persistent browser sessions.
- Utilize Defender for Office 365 for phishing and link protection.
3. Restrict Session Tokens:
- Implement strict Conditional Access policies to terminate sessions from untrusted IPs.
- Enable "Require token protection for sign-in sessions" (currently in preview).
4. Detect and Respond:
- Use Entra ID P2 for detecting and blocking suspicious sessions.
- Configure policies to prevent unauthorized device registration and MFA method addition.
5. Monitor and Alert:
- Set up alerts for suspicious inbox rules and other anomalies.
- Use Defender for Cloud Apps for additional protections.
6. Educate Users:
- Conduct regular security awareness training, emphasizing vigilance regarding financial information.
Conclusion
By leveraging the security features in Microsoft 365, such as Business Premium, organizations can significantly reduce the risk of breaches. Implementing the above strategies can help protect against sophisticated attacks, even when using strong MFA methods like passkeys.