How to Guard Against Cybercriminals Bypassing Multifactor Authentication by Stealing Cookies

Questions: What are the best practices using a VPN when using a shared Wi-Fi to avoid being hacked? More specifically, How can we guard against cybercriminals bypassing multifactor authentication by stealing cookies?

Background

We have a small group of individuals working on a large project. Most of us work from home or from our offices, and we are located in different locations in British Columbia and Alberta.

On Monday, two days ago, two colleagues were meeting in an office tower in downtown Calgary, Alberta. Colleague A has a permanent office located there, and colleague B was visiting. A uses a PC, and B uses a Mac. For a portion of their in-person meeting, all of us in our group were meeting through Microsoft Teams. In other words, most of us were virtual and while A and B were located together in a conference room. B was using Wi-Fi to connect to the internet.

All of us have Microsoft 365, and we have enforced two-factor authentication.

As B was leaving the conference room and heading toward the elevator just before noon, he started receiving emails and texts about a suspicious email that people were receiving. Many of us, including me, got an email with “RFP Review Required from XYZ Organization” where XYZ Organization was our organization. For the work we are doing, requests for proposals are common.

When I clicked on the link to access the “encrypted document,” I got directed to a website where Norton 360 complained that it was not safe. I shut my browser tab and thought I would ask B to put the document on our server so that we could access it without having to click on links. Shortly thereafter, I learned that the email was malicious because B did not send the document and many were receiving it.

Once we knew we had a problem, we froze his account and signed him (hacker) out of any active sessions. Later, we spoke with B and provided him with a new password and unfroze his account.

When we checked B’s recent accesses to his Microsoft account, we saw accesses from California at around the time the emails went out. I then ran a mail trace to see who the hacker had emailed. The hacker emailed 265 people within one minute.

I am guessing that a hacker got stole session cookie to B’s Microsoft 365 account. With that cookie, he did not need the password or the two-factor authentication. He was then able to send emails to others using B’s account and his organization.

So I am wanting to know how to guard against this problem. If I am using a pc laptop with a VPN, I first need to connect to the internet before engaging the VPN. Is that correct? How can I ensure that hacker cannot get access to anything on my PC?

I know that once I am on the internet with my VPN engaged, I am safe. My main concern is the time between accessing the internet and engaging my VPN.

Are there any best practices to follow?

For those interested, here’s a link from the FBI on “Cybercriminals Are Stealing Cookies to Bypass Multifactor Authentication”:


Perhaps this post belongs in "AntiVirus, Firewalls and System Security"? If so, can someone please move it. Thank you.

I have attached a screenshot of the download from the message trace. Jeff was the individual who was affected. In other words, he is "B" in the prior post. In the "Subject" column, you will see "Important RFP from (redacted org name) - Review Required".

As mentioned, there were 265 emails that were sent. And as you can see from the screenshot, some mail systems either blocked the email or the email address no longer exists.

Our group has "Microsoft Defender for Office 365 (Plan 1)" that is supposed to detonate any attachments and follow the links to ensure that they are safe. This email sailed right though. I seem to recall that it was a PDF that gave the appearance that it was encrypted and required users to visit a website. When I clicked on the document, a new Edge tab opened that went to the malicious website. Once that happened, I shut down the email and browser tab. My recollection is not precise as I was not paying close attention until I decided to shut it down.

Lots of info to digest in this post...

First point: a VPN is not a security tool it is a privacy tool.

Second point, since you don't actually know how the account was compromised it's hard to make a recommendation.

Third point, all we know is you have M365 but not which licensing level, higher levels are going to have more security controls you can enable to help protect your accounts. Beyond that we have no idea what other security controls (physical[not super relevant], technical and administrative).

Here is a small non-exhaustive list of ways someone could gain access to your account

• Malware (could still cookies/access tokens etc, or even proxy into your system)
• MFA fatigue (they get you to approve MFA request while logged in elsewhere), may also require a phish for creds
• Spoofing an Oauth request or OIDC (they can social engineer you with a specially crafted legitimate link)
• Insecure mail delivery enabled in your M365 tenat such as SMTP/IMAP or other legacy auth
• Others

@neemobeer

Thank you for your reply. Allow me to add a few more comments.

1. VPN: I was under the impression that a VPN provided a secure tunnel where others cannot access your system nor see what you are doing. Perhaps my impression is incorrect.

2. You are correct. What I do know are the following:

• No issues prior to the meeting
• Issues during the meeting
• Logs indicating access from California to Jeff's account during the meeting
• No issues again after account restored

Based on the above, it is reasonable to assume his account was compromised during the meeting? And it is also reasonable to assume that someone or something grabbed his cookies? He certainly did not authorize any other person using his Microsoft Authenticator app.

3. Microsoft 365 E-3 corporate account with Microsoft Defender for Office 365 (Plan 1).

4. Malware, possibly, though it is interesting that it started and stopped while he was using a Wi-Fi connection and there has been no reoccurrence. Also, logs indicate California access during the meeting.

MFA fatigue: Unlikely since he was busy meeting with others and not attending to his authenticator. Even then, users need to know the number or whatever.

Spoofing: Again unlikely. Someone needed access to his account. It is not as though we provided an entry to "our system." They got entry to a specific user's account.

Insecure mail delivery: It is buttoned down reasonably well. We have SPF, Dmarc settings configured. If someone spoofs our email address, it will get rejected by the recipient.

While a VPN does encrypt all traffic (unless there is split tunneling) the purpose is for privacy. It doesn't typically provide any protection from accessing your system, malware, sites you visit. Some VPNs do provide bolt-on security features but that wasn't the purpose of a VPN.

MFA fatigue happens by generating a lot of MFA requests (which requires knowing the user creds). The goal here of the attacker is getting the user to approve the MFA request, so they don't need to have access to the MFA method themselves.

One I forgot is framing a legitimate MFA screen in a threat actor controlled site (they can potentially intercept the requests this way or click jacking)

My point about insecure mail access methods is all an attacker needs is user/pass. These don't require MFA and are not the same thing as DMARC/SPF/DKIM. They are sending through your mail accounts so DMARC will always pass. This is akin to an open (semi-open relay)

For some added peace of mind, I would recommend looking at adding Entra ID P2 plan to your existing subscription. This is licenses $9/user/month and setting up the extra Entra ID protection features

In particular these are the features I would want to configure with a P2 license. These would likely have detected and asked for new authentication including a forced new MFA auth

Risk-Based Conditional Access
Identity Protection (Risk Detection)

Additionally look at blocking all legacy authentication (with a conditional access policy) and POP3 and IMAP for mail access

@neemobeer

Once again, thank you for your reply.

While a VPN does encrypt all traffic (unless there is split tunneling) the purpose is for privacy. It doesn't typically provide any protection from accessing your system, malware, sites you visit. Some VPNs do provide bolt-on security features but that wasn't the purpose of a VPN.

Click to expand...

So if I understand correctly, aside from privacy, there is little to be gained from a VPN? Because most sites are now https, the traffic to and from is encrypted.

Although our organization has been in existence for about five years, it is small and largely unknown. We don't even get any spam. None, zero. And we don't get MFA requests other than the ones we initiate.

My point about insecure mail access methods is all an attacker needs is user/pass. These don't require MFA and are not the same thing as DMARC/SPF/DKIM. They are sending through your mail accounts so DMARC will always pass. This is akin to an open (semi-open relay)

Click to expand...

I am not sure I fully understand your comment. Yes, we have DMARC, SPF, and DKIM. But you mention that is not the thrust of your message. Jeff is not a sophisticated user, and neither am I, so it is unlikely he could have provided any information to others to allow them to legitimately gain access.

The key point that I am focused on is that he was away from home using Wi-Fi when the attack occurred. He did not get any MFA requests. We have evidence of a third-party gaining access to his account from his access logs. The third party accessed his account while he was using the general office Wi-Fi. I should note that this office environment is rather open. That is to say that there are many different individuals and companies that rent office space on this floor and share a Wi-Fi network.

@neemobeer, Thank you for your reply.

For some added peace of mind, I would recommend looking at adding Entra ID P2 plan to your existing subscription. This is licenses $9/user/month and setting up the extra Entra ID protection features

In particular these are the features I would want to configure with a P2 license. These would likely have detected and asked for new authentication including a forced new MFA auth

Risk-Based Conditional Access
Identity Protection (Risk Detection)

Click to expand...

That is interesting and worth looking into. Is it hard for a non-technical person to configure? I configured our DMARC, SPF, and DKIM. I am certainly not technical person, though. I usually know enough to get by.

Additionally look at blocking all legacy authentication (with a conditional access policy) and POP3 and IMAP for mail access

Click to expand...

Could you, please, elaborate more on your prior comment. I do not know enough to be able to act on it. But if it is something worthwhile doing, I should consider it.

First, I know nothing about such a scenario, BUT is it totally off-base to recommending that you contact 365 security support. Would they not be the most logical ones to figure out what and how it happened on Monday and help you deal with the problem? I would suspect that if, indeed, this hacker accessed Person B 365 account, he also accessed person B address book which just gave the hacker more ammunition. I would think MS servers store a lot of info that the end user has no access to. If this thought is totally out of line for what you are dealing with, ignore it.

For blocking legacy auth

The other features are fairly easy to configure that come with the P2 license

If you move forward with the P2 licensing and get stuck, feel free to DM me for config help.

neemobeer said:

Some VPNs do provide bolt-on security features but that wasn't the purpose of a VPN.

Click to expand...

I know there are people who don’t like or don’t trust Kaspersky, but I do.
It’s built in VPN is impressive in my opinion, it also allows for added security, some of which I haven’t enabled. I am on my iPad at the moment.

glasskuter said:

First, I know nothing about such a scenario, BUT is it totally off-base to recommending that you contact 365 security support. Would they not be the most logical ones to figure out what and how it happened on Monday and help you deal with the problem? I would suspect that if, indeed, this hacker accessed Person B 365 account, he also accessed person B address book which just gave the hacker more ammunition. I would think MS servers store a lot of info that the end user has no access to. If this thought is totally out of line for what you are dealing with, ignore it.

Click to expand...

Thank you for your comment.

Have you ever called corporate Microsoft 365 support?

My experience is that they are trying to get you back up and running as quickly and as efficiently as possible. They are not there to provide root cause analysis or help you debug or troubleshoot issues that are rightfully yours to solve. In other words, Microsoft is not your IT department.

If someone does download a lot of files quickly, administrators are alerted. That didn't happen.

If a hacker gets access to someone's account, then they obviously have access to their address book. Given that 265 emails were sent out in about one minute, they obviously had a script or some code that sent out the emails.

neemobeer said:

If you move forward with the P2 licensing and get stuck, feel free to DM me for config help.

Click to expand...

Thank you for your willingness to assist. I am not sure if we will go forward with the P2 license. But it is good to have a resource for support. I appreciate your kindness.

antspants said:

I know there are people who don’t like or don’t trust Kaspersky, but I do.
It’s built in VPN is impressive in my opinion, it also allows for added security, some of which I haven’t enabled. I am on my iPad at the moment.

Click to expand...

Thank you for your comment. I admit, Kaspersky does make me cautious.

neemobeer said:

For blocking legacy auth

Block legacy authentication with Conditional Access - Microsoft Entra ID

Create a custom Conditional Access policy to block legacy authentication protocols.

learn.microsoft.com

The other features are fairly easy to configure that come with the P2 license

Click to expand...

Thank you. I will need to read up on this information.

Stecyk said:

Thank you for your comment. I admit, Kaspersky does make me cautious.

Click to expand...

Many people are of that opinion, it didn’t help that one country made them out to be the devil incarnate. But it’s a fair call to be cautious.

antspants said:

Many people are of that opinion, it didn’t help that one country made them out to be the devil incarnate. But it’s a fair call to be cautious.

Click to expand...

I certainly do not have any direct knowledge of the company's trustworthiness. It seems, though, that the world has become a less friendly global neighborhood in recent years. Consequently, I am exercising more caution than is perhaps necessary.

Stecyk said:

Consequently, I am exercising more caution than is perhaps necessary.

Click to expand...

Always follow advice from people you trust. But most importantly, your gut. It will tell you how to act.
It’s OK not to trust something. Nobody else's business.

antspants said:

Always follow advice from people you trust. But most importantly, your gut. It will tell you how to act.
It’s OK not to trust something. Nobody else's business.

Click to expand...

Thank you. Let's hope we move forward to a better and more trusting environment.