Our incident response team is seeing an uptick in adversaries using a very tricky man-in-the-middle attack to bypass MFA and breach Office 365 tenants.
Here’s an outline of how the attack works:
We trick a user into entering creds into our fake O365 login page (made with evilginx)
We make Microsoft send a passcode to the user’s phone
User enters their passcode on OUR fake page
We hijack the user’s session token
Gain access to SharePoint Online environment
Exfiltrate data from O365
Pivot to on-prem and steal CEO’s emails (because why not?)
Share
Watch the Replay!
Ryan O'Boyle
Engineer,Varonis
Our Clients
“Our biggest surprise to us as a company was to finally know how much sensitive data was actually out there living on our servers.”
Gomez, Senior IT Architect, The University of Southern California
