Mitiga finds the Microsoft 365 accounts of business executives under attack by malicious attackers who use a combined strategy of spear phishing and man-in-the-middle methods.

Cybersecurity firm Mitiga disclosed that a dubious Business Email Compromise (BEC) campaign is continuously targeting Microsoft’s executive officers. The attackers are using the malicious maneuver of spear phishing with a man-in-the-middle strategy to hijack business transactions.

They make the user believe that their account has been frozen to sway them into using a malicious account. The firm discovered that unauthorized access to Microsoft’s users comes from several locations, including San Jose, Dubai, and Singapore.

Mitiga proposes to not solely rely on MFA

The scammers abuse weaknesses in Microsoft 365’s multi-factor Authentication system (MFA), Microsoft Authenticator, and Microsoft 365 Identity Protection. Mitiga advised Microsoft to no not exclusively rely on the MFA system as scammers can easily break through it by setting up a different authentication app. Users never get to know about this change.

“Given the accelerated growth of [these] attacks, it is clear that we can no longer rely on multi-factor authentication as our main line of defense against identity attacks”, Mitiga said. “We strongly recommend setting up another layer of defense, in the form of a third factor, tied to a physical device or to the employee’s authorized laptop and phone.”

“Microsoft 365 offers this as part of Conditional Access by adding a requirement to authenticate via an enrolled and compliant device only, which would completely prevent [these] attacks.”

Tip: Microsoft warns of increase in IIS web server attacks