Solved How to Guard Against Cybercriminals Bypassing Multifactor Authentication by Stealing Cookies

@neemobeer

I followed the link you provided in your recent reply. I have begun a small audit to see what more I can learn. There are so many activities to investigate. I chose the following:

fileaccessed, filemodified, foldercopied, foldercreated, folderdeleted, managedsyncclientallowed, create, copy, mailboxlogin, mailitemsaccessed, sendonbehalf, send, update, softdelete, new-inboxrule, set-inboxrule, updateinboxrules ,

Click to expand...

There is one thing I just remembered that I haven't mentioned before. After we unblocked and provided a new password, the user was able to send email but could not receive email. After he spoke with Microsoft, he learned that there was a rule created where his incoming email was sent or stored in conversations. Does that make any sense?

Earlier he mentioned to me that he could not receive email. Using mail trace, I knew that his emails were being delivered. He was not seeing them, though. So I had him contact Microsoft. Afterward, he mentioned that there was an Outlook rule or something to that effect. This user would not be creating Outlook rules. Again, I am not exactly sure what Microsoft did to restore his ability to have his incoming email become visible.

Stecyk said:

To be honest, I am not sure how an encrypted DNS would have helped in this situation.

Click to expand...

The only information that an attacker can glean from your unencrypted DNS is the domain that is looked up and the IP address that domain resolves to and a timestamp.

They wouldn't see any of your HTTP requests or responses.

If the victim has any browser plugins, I would scrutinize those. Browser plugins are not bound by the Same Origin policy and could easily fire off a request on behalf of the victim, with his current credentials. A little bit of javascript and those credentials end up on the attacker's server.

russ6100 said:

The only information that an attacker can glean from your unencrypted DNS is the domain that is looked up and the IP address that domain resolves to and a timestamp.

They wouldn't see any of your HTTP requests or responses.

If the victim has any browser plugins, I would scrutinize those. Browser plugins are not bound by the Same Origin policy and could easily fire off a request on behalf of the victim, with his current credentials. A little bit of javascript and those credentials end up on the attacker's server.

Click to expand...

That's a great idea to follow up. This person is not a sophisticated user. I believe he is using Edge browser on a Mac when working on this project. The fact that the problem ceased seems to indicate that it was a one-time hit. Of course, I am not positive that is the case.

russ6100 said:

The only information that an attacker can glean from your unencrypted DNS is the domain that is looked up and the IP address that domain resolves to and a timestamp.

Click to expand...

Sort of. Unencrypted DNS can also be modified, so I can send you to my-mailicious-server.com instead of google.com, but you won't know the difference.

But also, knowing where someone is going is quite handy for finding places to attack them. If I wanted to pelt you with a water balloon, knowing where you work or shop would be super handy.

@neemobeer

After I ran the query, I found that the hacker spent most or all of its time with the email. And I see where it created a new email rule.

Interesting stuff.

Stecyk said:

That's a great idea to follow up. This person is not a sophisticated user. I believe he is using Edge browser on a Mac when working on this project. The fact that the problem ceased seems to indicate that it was a one-time hit. Of course, I am not positive that is the case.

Click to expand...

Browser plugins can be extremely dangerous. They have access to all browser windows / tabs which normally segregate domains from accessing each other's data / cookies.
A typical scenario looks like this:

Benign browser plugin gains popularity because it's useful to a large user base.
Entity with the appearance of legitimacy approaches plugin developer with an interest in purchasing the plugin.
Entity purchases plugin, promising to maintain / develop further.
Entity adds malignant functionality to the plugin and pushes updates en masse.

Truly awful.

Also - what you mentioned RE the victim's email being delivered but not to him - I've not really heard of an attack like this but if the person that was briefly receiving the victims emails was in fact the attacker, if would be semi-trivial for him / her to modify / add links and send it on to the victim.

Have you gone through the raw email headers and compared them to others that occurred before and after? It's headache-inducing but there should be a difference if that scenario actually occurred.

pseymour said:

Sort of. Unencrypted DNS can also be modified, so I can send you to my-mailicious-server.com instead of google.com, but you won't know the difference.

But also, knowing where someone is going is quite handy for finding places to attack them. If I wanted to pelt you with a water balloon, knowing where you work or shop would be super handy.

Click to expand...

This is absolutely true if he was doing more than passively sniffing. If he was in the position to manipulate the responses, he could send the victim to anywhere of his liking.

russ6100 said:

Browser plugins can be extremely dangerous. They have access to all browser windows / tabs which normally segregate domains from accessing each other's data / cookies.
A typical scenario looks like this:

Benign browser plugin gains popularity because it's useful to a large user base.
Entity with the appearance of legitimacy approaches plugin developer with an interest in purchasing the plugin.
Entity purchases plugin, promising to maintain / develop further.
Entity adds malignant functionality to the plugin and pushes updates en masse.

Truly awful.

Also - what you mentioned RE the victim's email being delivered but not to him - I've not really heard of an attack like this but if the person that was briefly receiving the victims emails was in fact the attacker, if would be semi-trivial for him / her to modify / add links and send it on to the victim.

Have you gone through the raw email headers and compared them to others that occurred before and after? It's headache-inducing but there should be a difference if that scenario actually occurred.

Click to expand...

The email was delivered to him, just not in its usual location. The hacker created an Outlook or Exchange rule to place the emails in "Conversations" or something. To be honest, I am not completely clear on what happened. The user complained he was not able to get email. I verified through mail trace that mail was being delivered. He contacted Microsoft and discovered that there was a rule redirecting his email to "Conversations" or something. Perhaps the hacker created a folder called "Conversations" and placed all the email there. Because he was happy to receive his email again, I did not think to follow up more closely.

Stecyk said:

@neemobeer

After I ran the query, I found that the hacker spent most or all of its time with the email. And I see where it created a new email rule.

Interesting stuff.

View attachment 129707

Click to expand...

If the attacker was able to make a rule, he obviously had access to the victims email.

I'm assuming that in the victim's environment, copies of all received emails remain on the server, which means that the attacker had access to those.

Ugh.

Stecyk said:

The email was delivered to him, just not in its usual location. The hacker created an Outlook or Exchange rule to place the emails in "Conversations" or something. To be honest, I am not completely clear on what happened. The user complained he was not able to get email. I verified through mail trace that mail was being delivered. He contacted Microsoft and discovered that there was a rule redirecting his email to "Conversations" or something. Perhaps the hacker created a folder called "Conversations" and placed all the email there. Because he was happy to receive his email again, I did not think to follow up more closely.

Click to expand...

Knowing that the victim would eventually have access to the emails stored in the "Conversations" folder, it would seem that the attacker had an interest in viewing those emails before the victim...

russ6100 said:

If the attacker was able to make a rule, he obviously had access to the victims email.

I'm assuming that in the victim's environment, copies of all received emails remain on the server, which means that the attacker had access to those.

Ugh.

Click to expand...

Yes, hacker had access to the emails. He also sent out spam emails to 265 people in the user's contact list.

Stecyk said:

Yes, hacker had access to the emails. He also sent out spam emails to 265 people in the user's contact list.

Click to expand...

Advertising spam?

russ6100 said:

Knowing that the victim would eventually have access to the emails stored in the "Conversations" folder, it would seem that the attacker had an interest in viewing those emails before the victim...

Click to expand...

Thank you for your comment, Russ.

I have a slightly different theory. The hacker stored the emails in the Conversations folder for two reasons:

1. He did not want the user to lose his email but also did not want the user to see the emails immediately
2. After spamming others, he did not want the recipients of the spam to email the user to ask for verification or provide notification
   1. Instead, the email from others was placed in the Conversations folder where it is not easily seen on a mobile device or just looking, unless you know where to look

Stecyk said:

Thank you for your comment, Russ.

I have a slightly different theory. The hacker stored the emails in the Conversations folder for two reasons:

1. He did not want the user to lose his email but also did not want the user to see the emails immediately
2. After spamming others, he did not want the recipients of the spam to email the user to ask for verification or provide notification
   1. Instead, the email from others was placed in the Conversations folder where it is not easily seen on a mobile device or just looking, unless you know where to look

Click to expand...

Oh so not advertising spam - he was "spamming" phishing emails.

russ6100 said:

Advertising spam?

Click to expand...

No, It appeared to be a document "RFP -- Our Organization Name -- Immediate Review Required" or something like that. RFP, of course, means request for proposal. And when I clicked on the "encrypted document," my browser took me to a malicious website where Norton shut things down. So I just closed the browser tab and thought I would speak with the user afterward about the document. RFPs would not be uncommon for the type of work we are doing.

What did the malicious website want or do? We don't know.

Stecyk said:

No, It appeared to be a document "RFP -- Our Organization Name -- Immediate Review Required" or something like that. RFP, of course, means request for proposal. And when I clicked on the "encrypted document," my browser took me to a malicious website where Norton shut things down. So I just closed the browser tab and thought I would speak with the user afterward about the document. RFPs would not be uncommon for the type of work we are doing.

What did the malicious website want or do? We don't know.

Click to expand...

Did you later right-click on the button / link and "copy link" to see the URL?

russ6100 said:

Did you later right-click on the button / link and "copy link" to see the URL?

Click to expand...

No, I just got rid of the email. I reported it Microsoft and went on with my day. The faster I got rid of it, the better.

I am providing an update for everyone who contributed to this thread.

While working through the logs, we discovered that the hacker had installed malware in our tenant called PERFECTDATA SOFTWARE. It used all caps, so I am repeating it. The software was installed a few weeks prior to the mass emails being sent out. So the mass emails did not indicate when the hack occurred.

This malware allows the hacker access to the user's email. Given the mass mailings, this is not a surprise.

When discovered, the malware was removed.

When I spoke with Microsoft, they indicated that this software attack is not common but not rare either. The person I was speaking with had a similar client a few months ago.

The Microsoft technician indicated that the hacker was somehow able to get hold of the tokens and proceed from there. And the hacker can attack a user on a wired or wireless network. She doesn't know how the hacker is able to gain access to the tokens, or if she does know, she didn't share it with me.

One key suggestion is to not remain signed in. Allow your sign-in authority to lapse and then sign in again. She also mentioned to clear your browser cache occasionally, every few days.

Fortunately, the user did not have much, if any, non-public stuff in his emails.

We are beefing up our security by purchasing extra Microsoft protection as recommended by @neemobeer.

In the thread, Steve, @XxXxX, mentioned about using encrypted DNS. I am reading up on that topic and will be following up. While it may not have helped in this instance, from what I have read so far, it is a good idea.

Thank you everyone for your contributions.