This Microsoft phishing campaign can hack you, even if you have MFA

password_theft_india
(Image credit: Raj N)

Hackers are able to hijack Outlook email accounts even if they’re protected by multi-factor authentication, Microsoft has warned. 

The company’s cybersecurity teams from the Threat Intelligence Center, and the Microsoft 365 Defender Research Team have uncovered a new large-scale phishing campaign that targeted more than 10,000 businesses in the past year.

The compromised email accounts are later used for business email compromise (BEC) attacks, in which the victim’s business partners, clients, and customers, end up being defrauded for their money.

Stealing session cookies

The victim would receive a phishing email, with a link to log into their Outlook account. That link, however, would lead them to a proxy site, seemingly identical to the legitimate one. The victim would try to log in, and the proxy site would allow it, sending all of the data through. 

However, once the victim completes the authentication process, the attacker would steal the session cookie. As the user doesn’t need to be reauthenticated at every new page visit, that gives the threat actor full access, as well.

"From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com)," Microsoft’s blog post said. "In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account."

After getting hold of the email account, the attackers would proceed to target the contacts in the inbox, using the stolen identities to try and trick them into sending payments of various sizes. 

To make sure the original victim stays oblivious to the fact that their email accounts are being abused, the attackers would set up inbox rules on the endpoint, marking their emails as read by default, and moving them to archive, immediately. The attackers would check the inbox every couple of days, it was said.

"On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox," Microsoft says. "Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets' organization domains."

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Security padlock in circuit board, digital encryption concept
MFA alone won’t protect you in 2025: the new cybersecurity imperative
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Representational image of a shrouded hacker.
Getting to grips with Adversary-in-the-Middle threats
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all