Since the pop-up window is a custom HTML webpage, it can show any URL using JavaScript, including a legitimate one such as google.com or microsoft.com. Threat actors employ different methods to achieve this goal. For example, this simple HTML for a link shows the correct and genuine URL: <a href="https://accounts.microsoft.com" onclick="return launchWindow();">Microsoft</a>.
The malicious attacker lets the onclick function return false at the end, which continues to show the destination of the link when the user hovers over it. But when the link is clicked, the destination will be ignored, and the user will be led to the malicious pop-up window instead of the legitimate SSO authentication window. In this case, the method of validating the authenticity of the website via checking the URL will instead help the threat actors to gain the user’s trust.
Fortunately for the user, it is relatively easy to verify whether the authentication pop-up window is fake by trying to drag the pop-up window outside of the webpage area of the browser. If the pop-up window is fake, the pop-up window will stop at the edge since it is not a genuine separate window.
Evilginx phishing technique
The Evilginx phishing technique relies on the concept of reverse proxying in a man-in-the-middle (MitM) attack framework to relay traffic back and forth between phished users and the genuine website. The current version of Evilginx is a stand-alone application that can easily implement its own HTTP and DNS server. Evilginx uses multiple phishlet templates, which mimic familiar sites such as Amazon, LinkedIn, Microsoft 365™, Facebook, Twitter, and others. Phishlets are the configuration files that proxy a legitimate website into a phishing website. Once the chosen phishlet is enabled, it will automatically request a free secure sockets layer (SSL) certificate for the new domain and wait for the victim to click on the phishing link.
MFA is a security measure to protect users from phishing because threat actors cannot retrieve the additional factor from the users. However, MFA only adds difficulties for threat actors to gain access via phishing; it can’t prevent their access. Because Evilginx works as a web reverse proxy server, it can intercept and analyze the network traffic between the user and the real web server and capture session cookies to bypass MFA protection.
When a user logs into a web resource, the web browser stores session cookies or tokens. These cookies or tokens are used to validate the user's identity by the server when requesting access after login, but they do not contain any login credentials. Since unique session cookies or tokens are also generated when using MFA, malicious attackers can capture and inject them into new web sessions, tricking the server into believing the attacker is the authenticated user without the need for authentication. Additionally, many legitimate web-based applications have long-term or never-expired cookies or tokens (unless the user logs out of the account), and so there is no time restriction for threat actors to launch lateral movements.
The good news is that while phishing techniques have become more sophisticated, authentication models and standards have also improved over time. WebAuthn is a modern authentication standard that helps mitigate against MitM attacks. It uses hardware-based public key infrastructure authentication to generate unique key pairs that are associated only with each corresponding party or domain name. If a user is tricked into visiting a phishing website, the authenticator device won’t authenticate because it will first need to pass through the fake website, and the domain name will not match. Additionally, Microsoft 365 customers with a sufficient license level can use Microsoft Azure™ Conditional Access to protect against these types of MitM attacks. Since the Evilginx server needs to terminate the SSL session with the user and initiate a new SSL session against the authentication server to avoid SSL errors, it will leave a valid SSL handshake on the attacker’s machine. Azure Conditional Access can perform additional checks on the user’s IP address, domain join membership, or certificate (via a cloud access security broker) to block Evilginx attacks.
Application consent phishing technique
An application consent attack is a phishing technique that focuses on obtaining permission authorization rather than authentication from the user. Application consent is the process of users granting authorization to an application to access protected resources on their behalf via open-standard authorization (OAuth) protocol, which provides secure access delegation so that users can grant websites and applications access to their information on other websites and applications without giving out any credentials. Users might believe this function is safe and let down their guard when they are not asked for credentials. However, authorization is equally important as authentication.
In an attack against Microsoft 365-hosted data, threat actors will first create an Azure-registered application that looks like a legitimate application from a trustworthy publisher. Then they will send an email to trick the end user into granting consent to the malicious application. Once the user grants the access by clicking the "accept" button, the attackers’ application will receive an access token from Azure Active Directory™. The attackers can then use the token to perform a series of actions on behalf of the victim, such as reading files, sending mails, or even writing to files depending on the access granted.
The most effective way to protect against an application consent attack is to disable the ability for users to grant rights to a third-party application. If users must have the ability to grant rights to third-party applications, a Microsoft PowerShell™ script can be implemented to search for consent to application events in the audit logs. Microsoft offers the Search-UnifiedAuditLog command to help perform this operation. Additionally, using Get-AzureADPSPermissions.ps1 to look for any suspicious changes in permissions can help establish a regular inventory of applications and related permissions in the Microsoft 365 environment. Alternatively, if users have a sufficient license level, then relevant OAuth policies can be created using Microsoft Cloud App Security, which will scan for and detect any misleading app name, publisher name, or malicious consent.
Phishing techniques and AI
As technology evolves, threat actors are also using artificial intelligence (AI) and machine learning techniques to conduct phishing or cyberattacks. Phishing as a service (PhaaS) and ransomware as a service (RaaS) already exist in the wild, and they provide paid-tool sets for threat actors that lower the technical skill requirements to perform malicious activities. The emergence of AI might further eliminate such technical skill requirements and greatly reduce the cost of performing criminal acts.
One fairly new way phishing techniques are leaning into AI is with Chat Generative Pretrained Transformer (ChatGPT), an AI chatbot system that OpenAI released in November 2022 to show and test what a very large, powerful AI system can accomplish. It has since become an increasingly popular topic across all industries. Despite ChatGPT’s limitations, it has demonstrated the potential threat AI could pose. In a sense, ChatGPT is a genie released from a jar, but a double-edged sword depending on who’s using it.
For example, ChatGPT has the power to generate text in any style and can be used to write emails that are almost indistinguishable from those written by humans. It is constantly learning and evolving, so by correctly feeding in a target set of business emails as training data, attackers can train an AI chatbot to write customized, persuasive emails that easily mimic a talking style and business format. Not only can it generate desired text, but it can also generate malicious code and scripts in any format that can be attached to an email and then compromise the victim’s system or retrieve credentials once downloaded or opened.
Example 1 of ChatGPT code-generation ability