Solved How to Guard Against Cybercriminals Bypassing Multifactor Authentication by Stealing Cookies


@neemobeer

I followed the link you provided in your recent reply. I have begun a small audit to see what more I can learn. There are so many activities to investigate. I chose the following:

fileaccessed, filemodified, foldercopied, foldercreated, folderdeleted, managedsyncclientallowed, create, copy, mailboxlogin, mailitemsaccessed, sendonbehalf, send, update, softdelete, new-inboxrule, set-inboxrule, updateinboxrules ,

There is one thing I just remembered that I haven't mentioned before. After we unblocked and provided a new password, the user was able to send email but could not receive email. After he spoke with Microsoft, he learned that there was a rule created where his incoming email was sent or stored in conversations. Does that make any sense?

Earlier he mentioned to me that he could not receive email. Using mail trace, I knew that his emails were being delivered. He was not seeing them, though. So I had him contact Microsoft. Afterward, he mentioned that there was an Outlook rule or something to that effect. This user would not be creating Outlook rules. Again, I am not exactly sure what Microsoft did to restore his ability to have his incoming email become visible.
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
To be honest, I am not sure how an encrypted DNS would have helped in this situation.
The only information that an attacker can glean from your unencrypted DNS is the domain that is looked up and the IP address that domain resolves to and a timestamp.

They wouldn't see any of your HTTP requests or responses.

If the victim has any browser plugins, I would scrutinize those. Browser plugins are not bound by the Same Origin policy and could easily fire off a request on behalf of the victim, with his current credentials. A little bit of javascript and those credentials end up on the attacker's server.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Briggs & Stratton
    CPU
    AMD Ryzen R7 7700X
    Motherboard
    Gigabyte X670 GAMING X AX
    Memory
    32GB DDR5
    Graphics Card(s)
    RX 7800XT
    Sound Card
    MOTU M2
    Monitor(s) Displays
    Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    Crucial 2 TB 5000 MB/S NVMe
    PSU
    GM850
    Case
    DIY
    Cooling
    Vetroo Lurker V240
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    Just under a GB
    Browser
    Several
    Antivirus
    Windows Defender
The only information that an attacker can glean from your unencrypted DNS is the domain that is looked up and the IP address that domain resolves to and a timestamp.

They wouldn't see any of your HTTP requests or responses.

If the victim has any browser plugins, I would scrutinize those. Browser plugins are not bound by the Same Origin policy and could easily fire off a request on behalf of the victim, with his current credentials. A little bit of javascript and those credentials end up on the attacker's server.

That's a great idea to follow up. This person is not a sophisticated user. I believe he is using Edge browser on a Mac when working on this project. The fact that the problem ceased seems to indicate that it was a one-time hit. Of course, I am not positive that is the case.
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
The only information that an attacker can glean from your unencrypted DNS is the domain that is looked up and the IP address that domain resolves to and a timestamp.

Sort of. Unencrypted DNS can also be modified, so I can send you to my-mailicious-server.com instead of google.com, but you won't know the difference.

But also, knowing where someone is going is quite handy for finding places to attack them. If I wanted to pelt you with a water balloon, knowing where you work or shop would be super handy.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
    Antivirus
    Microsoft Defender
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
@neemobeer

After I ran the query, I found that the hacker spent most or all of its time with the email. And I see where it created a new email rule.

Interesting stuff.

2025-03-28_19-28-08-Jeff-1.webp
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
That's a great idea to follow up. This person is not a sophisticated user. I believe he is using Edge browser on a Mac when working on this project. The fact that the problem ceased seems to indicate that it was a one-time hit. Of course, I am not positive that is the case.
Browser plugins can be extremely dangerous. They have access to all browser windows / tabs which normally segregate domains from accessing each other's data / cookies.
A typical scenario looks like this:

Benign browser plugin gains popularity because it's useful to a large user base.
Entity with the appearance of legitimacy approaches plugin developer with an interest in purchasing the plugin.
Entity purchases plugin, promising to maintain / develop further.
Entity adds malignant functionality to the plugin and pushes updates en masse.

Truly awful.

Also - what you mentioned RE the victim's email being delivered but not to him - I've not really heard of an attack like this but if the person that was briefly receiving the victims emails was in fact the attacker, if would be semi-trivial for him / her to modify / add links and send it on to the victim.

Have you gone through the raw email headers and compared them to others that occurred before and after? It's headache-inducing but there should be a difference if that scenario actually occurred.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Briggs & Stratton
    CPU
    AMD Ryzen R7 7700X
    Motherboard
    Gigabyte X670 GAMING X AX
    Memory
    32GB DDR5
    Graphics Card(s)
    RX 7800XT
    Sound Card
    MOTU M2
    Monitor(s) Displays
    Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    Crucial 2 TB 5000 MB/S NVMe
    PSU
    GM850
    Case
    DIY
    Cooling
    Vetroo Lurker V240
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    Just under a GB
    Browser
    Several
    Antivirus
    Windows Defender
Sort of. Unencrypted DNS can also be modified, so I can send you to my-mailicious-server.com instead of google.com, but you won't know the difference.

But also, knowing where someone is going is quite handy for finding places to attack them. If I wanted to pelt you with a water balloon, knowing where you work or shop would be super handy.
This is absolutely true if he was doing more than passively sniffing. If he was in the position to manipulate the responses, he could send the victim to anywhere of his liking.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Briggs & Stratton
    CPU
    AMD Ryzen R7 7700X
    Motherboard
    Gigabyte X670 GAMING X AX
    Memory
    32GB DDR5
    Graphics Card(s)
    RX 7800XT
    Sound Card
    MOTU M2
    Monitor(s) Displays
    Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    Crucial 2 TB 5000 MB/S NVMe
    PSU
    GM850
    Case
    DIY
    Cooling
    Vetroo Lurker V240
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    Just under a GB
    Browser
    Several
    Antivirus
    Windows Defender
Browser plugins can be extremely dangerous. They have access to all browser windows / tabs which normally segregate domains from accessing each other's data / cookies.
A typical scenario looks like this:

Benign browser plugin gains popularity because it's useful to a large user base.
Entity with the appearance of legitimacy approaches plugin developer with an interest in purchasing the plugin.
Entity purchases plugin, promising to maintain / develop further.
Entity adds malignant functionality to the plugin and pushes updates en masse.

Truly awful.

Also - what you mentioned RE the victim's email being delivered but not to him - I've not really heard of an attack like this but if the person that was briefly receiving the victims emails was in fact the attacker, if would be semi-trivial for him / her to modify / add links and send it on to the victim.

Have you gone through the raw email headers and compared them to others that occurred before and after? It's headache-inducing but there should be a difference if that scenario actually occurred.

The email was delivered to him, just not in its usual location. The hacker created an Outlook or Exchange rule to place the emails in "Conversations" or something. To be honest, I am not completely clear on what happened. The user complained he was not able to get email. I verified through mail trace that mail was being delivered. He contacted Microsoft and discovered that there was a rule redirecting his email to "Conversations" or something. Perhaps the hacker created a folder called "Conversations" and placed all the email there. Because he was happy to receive his email again, I did not think to follow up more closely.
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
@neemobeer

After I ran the query, I found that the hacker spent most or all of its time with the email. And I see where it created a new email rule.

Interesting stuff.

View attachment 129707
If the attacker was able to make a rule, he obviously had access to the victims email.

I'm assuming that in the victim's environment, copies of all received emails remain on the server, which means that the attacker had access to those.

Ugh.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Briggs & Stratton
    CPU
    AMD Ryzen R7 7700X
    Motherboard
    Gigabyte X670 GAMING X AX
    Memory
    32GB DDR5
    Graphics Card(s)
    RX 7800XT
    Sound Card
    MOTU M2
    Monitor(s) Displays
    Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    Crucial 2 TB 5000 MB/S NVMe
    PSU
    GM850
    Case
    DIY
    Cooling
    Vetroo Lurker V240
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    Just under a GB
    Browser
    Several
    Antivirus
    Windows Defender
The email was delivered to him, just not in its usual location. The hacker created an Outlook or Exchange rule to place the emails in "Conversations" or something. To be honest, I am not completely clear on what happened. The user complained he was not able to get email. I verified through mail trace that mail was being delivered. He contacted Microsoft and discovered that there was a rule redirecting his email to "Conversations" or something. Perhaps the hacker created a folder called "Conversations" and placed all the email there. Because he was happy to receive his email again, I did not think to follow up more closely.
Knowing that the victim would eventually have access to the emails stored in the "Conversations" folder, it would seem that the attacker had an interest in viewing those emails before the victim...
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Briggs & Stratton
    CPU
    AMD Ryzen R7 7700X
    Motherboard
    Gigabyte X670 GAMING X AX
    Memory
    32GB DDR5
    Graphics Card(s)
    RX 7800XT
    Sound Card
    MOTU M2
    Monitor(s) Displays
    Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    Crucial 2 TB 5000 MB/S NVMe
    PSU
    GM850
    Case
    DIY
    Cooling
    Vetroo Lurker V240
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    Just under a GB
    Browser
    Several
    Antivirus
    Windows Defender
If the attacker was able to make a rule, he obviously had access to the victims email.

I'm assuming that in the victim's environment, copies of all received emails remain on the server, which means that the attacker had access to those.

Ugh.

Yes, hacker had access to the emails. He also sent out spam emails to 265 people in the user's contact list.
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
Yes, hacker had access to the emails. He also sent out spam emails to 265 people in the user's contact list.
Advertising spam?
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Briggs & Stratton
    CPU
    AMD Ryzen R7 7700X
    Motherboard
    Gigabyte X670 GAMING X AX
    Memory
    32GB DDR5
    Graphics Card(s)
    RX 7800XT
    Sound Card
    MOTU M2
    Monitor(s) Displays
    Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    Crucial 2 TB 5000 MB/S NVMe
    PSU
    GM850
    Case
    DIY
    Cooling
    Vetroo Lurker V240
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    Just under a GB
    Browser
    Several
    Antivirus
    Windows Defender
Knowing that the victim would eventually have access to the emails stored in the "Conversations" folder, it would seem that the attacker had an interest in viewing those emails before the victim...

Thank you for your comment, Russ.

I have a slightly different theory. The hacker stored the emails in the Conversations folder for two reasons:

  1. He did not want the user to lose his email but also did not want the user to see the emails immediately
  2. After spamming others, he did not want the recipients of the spam to email the user to ask for verification or provide notification
    1. Instead, the email from others was placed in the Conversations folder where it is not easily seen on a mobile device or just looking, unless you know where to look
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
Thank you for your comment, Russ.

I have a slightly different theory. The hacker stored the emails in the Conversations folder for two reasons:

  1. He did not want the user to lose his email but also did not want the user to see the emails immediately
  2. After spamming others, he did not want the recipients of the spam to email the user to ask for verification or provide notification
    1. Instead, the email from others was placed in the Conversations folder where it is not easily seen on a mobile device or just looking, unless you know where to look
Oh so not advertising spam - he was "spamming" phishing emails.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Briggs & Stratton
    CPU
    AMD Ryzen R7 7700X
    Motherboard
    Gigabyte X670 GAMING X AX
    Memory
    32GB DDR5
    Graphics Card(s)
    RX 7800XT
    Sound Card
    MOTU M2
    Monitor(s) Displays
    Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    Crucial 2 TB 5000 MB/S NVMe
    PSU
    GM850
    Case
    DIY
    Cooling
    Vetroo Lurker V240
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    Just under a GB
    Browser
    Several
    Antivirus
    Windows Defender
Advertising spam?

No, It appeared to be a document "RFP -- Our Organization Name -- Immediate Review Required" or something like that. RFP, of course, means request for proposal. And when I clicked on the "encrypted document," my browser took me to a malicious website where Norton shut things down. So I just closed the browser tab and thought I would speak with the user afterward about the document. RFPs would not be uncommon for the type of work we are doing.

What did the malicious website want or do? We don't know.
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
No, It appeared to be a document "RFP -- Our Organization Name -- Immediate Review Required" or something like that. RFP, of course, means request for proposal. And when I clicked on the "encrypted document," my browser took me to a malicious website where Norton shut things down. So I just closed the browser tab and thought I would speak with the user afterward about the document. RFPs would not be uncommon for the type of work we are doing.

What did the malicious website want or do? We don't know.
Did you later right-click on the button / link and "copy link" to see the URL?
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Briggs & Stratton
    CPU
    AMD Ryzen R7 7700X
    Motherboard
    Gigabyte X670 GAMING X AX
    Memory
    32GB DDR5
    Graphics Card(s)
    RX 7800XT
    Sound Card
    MOTU M2
    Monitor(s) Displays
    Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    Crucial 2 TB 5000 MB/S NVMe
    PSU
    GM850
    Case
    DIY
    Cooling
    Vetroo Lurker V240
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    Just under a GB
    Browser
    Several
    Antivirus
    Windows Defender
Did you later right-click on the button / link and "copy link" to see the URL?
No, I just got rid of the email. I reported it Microsoft and went on with my day. The faster I got rid of it, the better.
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
I am providing an update for everyone who contributed to this thread.

While working through the logs, we discovered that the hacker had installed malware in our tenant called PERFECTDATA SOFTWARE. It used all caps, so I am repeating it. The software was installed a few weeks prior to the mass emails being sent out. So the mass emails did not indicate when the hack occurred.

This malware allows the hacker access to the user's email. Given the mass mailings, this is not a surprise.

When discovered, the malware was removed.

When I spoke with Microsoft, they indicated that this software attack is not common but not rare either. The person I was speaking with had a similar client a few months ago.

The Microsoft technician indicated that the hacker was somehow able to get hold of the tokens and proceed from there. And the hacker can attack a user on a wired or wireless network. She doesn't know how the hacker is able to gain access to the tokens, or if she does know, she didn't share it with me.

One key suggestion is to not remain signed in. Allow your sign-in authority to lapse and then sign in again. She also mentioned to clear your browser cache occasionally, every few days.

Fortunately, the user did not have much, if any, non-public stuff in his emails.

We are beefing up our security by purchasing extra Microsoft protection as recommended by @neemobeer.

In the thread, Steve, @XxXxX, mentioned about using encrypted DNS. I am reading up on that topic and will be following up. While it may not have helped in this instance, from what I have read so far, it is a good idea.

Thank you everyone for your contributions.
 

My Computer

System One

  • OS
    Microsoft Windows 11 Professional High End
    Computer type
    PC/Desktop
    Manufacturer/Model
    Boxx Technologies
    CPU
    13th Gen Intel(R) Core(TM) i9-13900K 3.00 GHz
Back
Top Bottom